From: Stefan Kangas <stefan@marxist.se>
To: 19479@debbugs.gnu.org
Subject: bug#19479: Package manager vulnerable
Date: Mon, 7 Sep 2020 10:19:13 -0700 [thread overview]
Message-ID: <CADwFkmmPqLggMFm_YxfpxxHH_oH1UhwXxeP9MARwc-QW2zmL-g@mail.gmail.com> (raw)
In-Reply-To: <OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local> (Kelly Dean's message of "Thu, 01 Jan 2015 12:38:59 +0000")
Kelly Dean <kelly@prtime.org> writes:
> Stop distributing elpa-key signatures of packages, since they're
> superfluous if you have package hashes in archive-contents and have
> elpa-key signatures of archive-contents, and you already have the
> latter.
I disagree with this part.
We should continue signing packages _at least_ until such a time that
there is likely to be zero users left who are using an Emacs version
without support for checking package hashes.
> Optional alternative timestamp handling, as Ivan pointed out that
> Debian does (at least sometimes): Instead of expiring archive-contents
> after some limit configured in Emacs, put an explicit expiration date
> in it. Personally, I don't like server-supplied expiration dates, kind
> of for a similar reason that RMS doesn't like server-supplied
> Javascript, or maybe just because I have too many irritating memories
> of expired SSL certs.
Is there any reason not to support both? Package archives could decide
if they want to use this functionality or not, as could users.
> One more feature: include in each version of archive-contents a hash (and
> length) of the previous version of that file. This isn't necessary for
> preventing any of the vulnerabilities above, but it's easy insurance that
> slightly mitigates the disaster if the metadata signing key is compromised. It's
> pointless unless both the above problems are fixed, so it makes sense to put it
> here.
Does anyone understand how this would improve security in our case?
AFAIU, it can help with APT since they support distributing package
metadata in several files. ELPA uses only one file, so I'm not sure it
would make much of a difference?
next prev parent reply other threads:[~2020-09-07 17:19 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <qRgJhF1EfrtAmBqmyTLGcOkoyCcHP7kWm6t8KBDxra2@local>
2015-01-01 12:38 ` bug#19479: Package manager vulnerable Kelly Dean
2015-01-04 20:00 ` Stefan Monnier
2015-01-05 1:11 ` Kelly Dean
2015-01-05 2:16 ` Stefan Monnier
2015-01-08 3:31 ` bug#19479: [PATCH] " Kelly Dean
2015-01-08 3:44 ` Glenn Morris
2015-01-08 5:29 ` Kelly Dean
2015-01-08 14:39 ` Stefan Monnier
2015-01-08 21:06 ` Kelly Dean
2015-01-09 2:37 ` Stefan Monnier
2015-01-09 6:59 ` bug#19479: Copyright issue (was: Re: bug#19479: Package manager vulnerable) Kelly Dean
2015-01-09 15:17 ` bug#19479: Copyright issue Stefan Monnier
2015-01-09 15:29 ` David Kastrup
2015-01-09 19:57 ` Kelly Dean
[not found] ` <EitH3yok1Itmynw5Ex1Vi3AuvkREurR1ccm1J5MQD4E@local>
2015-01-09 20:24 ` Glenn Morris
[not found] ` <0etwzzu2gd.fsf@fencepost.gnu.org>
2015-01-09 20:32 ` Glenn Morris
2015-02-24 8:47 ` bug#19479: Emacs package manager vulnerable to replay attacks Kelly Dean
2015-01-11 2:56 ` bug#19479: (on-topic) Re: bug#19479: Package manager vulnerable Kelly Dean
2015-01-20 21:18 ` bug#19479: Disclaimer is now on file at FSF Kelly Dean
2015-02-24 18:11 ` Glenn Morris
2017-09-03 1:10 ` bug#19479: Package manager vulnerable Glenn Morris
2019-10-04 9:49 ` Stefan Kangas
2020-05-06 0:55 ` Noam Postavsky
2020-09-06 23:59 ` Stefan Kangas
2020-09-07 14:14 ` Noam Postavsky
2020-09-07 18:11 ` Stefan Kangas
2020-11-21 23:51 ` bug#19479: Package manager vulnerable to replay attacks Stefan Kangas
2020-11-26 0:43 ` Stefan Monnier
2020-11-26 2:06 ` Stefan Kangas
2020-11-26 2:30 ` Stefan Monnier
2020-11-26 3:02 ` Stefan Kangas
2020-11-26 3:11 ` Stefan Monnier
2020-11-26 3:56 ` Jean Louis
2020-09-07 17:19 ` Stefan Kangas [this message]
2020-09-07 23:54 ` bug#19479: Package manager vulnerable Noam Postavsky
2020-09-08 8:10 ` Stefan Kangas
[not found] <E1Y8Bor-0003yH-Mu@fencepost.gnu.org>
2015-01-06 6:38 ` Kelly Dean
2015-01-07 4:27 ` Richard Stallman
2015-01-08 3:33 bug#19536: [PATCH] package-upload-buffer-internal fails for tar files Kelly Dean
2015-01-08 5:50 ` Stefan Monnier
2015-01-08 7:10 ` Kelly Dean
2015-01-08 11:40 ` bug#19479: Package manager vulnerable Kelly Dean
2015-02-18 1:03 ` bug#19536: package-upload-buffer-internal fails for tar files Kelly Dean
[not found] <0ylhjngoxs.fsf@fencepost.gnu.org>
2015-02-24 23:02 ` bug#19479: Disclaimer is now on file at FSF Kelly Dean
[not found] ` <5j6SB8Hmg5euoiN2VLa1iolGVWZxTvwQ1LnsgFUQiDZ@local>
2015-02-25 21:09 ` Glenn Morris
[not found] ` <yuegpd8zq2.fsf@fencepost.gnu.org>
2017-09-02 12:24 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADwFkmmPqLggMFm_YxfpxxHH_oH1UhwXxeP9MARwc-QW2zmL-g@mail.gmail.com \
--to=stefan@marxist.se \
--cc=19479@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).