From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Mon, 7 Sep 2020 10:19:13 -0700 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="38246"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) To: 19479@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Sep 07 19:20:11 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kFKoN-0009pq-Ap for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 07 Sep 2020 19:20:11 +0200 Original-Received: from localhost ([::1]:52308 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kFKoL-00035q-SU for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 07 Sep 2020 13:20:09 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:56824) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kFKoE-00035G-Pn for bug-gnu-emacs@gnu.org; Mon, 07 Sep 2020 13:20:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:39158) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kFKoE-0004x0-Ge for bug-gnu-emacs@gnu.org; Mon, 07 Sep 2020 13:20:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kFKoE-0000FL-Cm for bug-gnu-emacs@gnu.org; Mon, 07 Sep 2020 13:20:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 07 Sep 2020 17:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.1599499165874 (code B ref 19479); Mon, 07 Sep 2020 17:20:02 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 7 Sep 2020 17:19:25 +0000 Original-Received: from localhost ([127.0.0.1]:50700 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kFKnd-0000Dx-3p for submit@debbugs.gnu.org; Mon, 07 Sep 2020 13:19:25 -0400 Original-Received: from mail-ed1-f67.google.com ([209.85.208.67]:39151) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kFKnY-0000Dg-7p for 19479@debbugs.gnu.org; Mon, 07 Sep 2020 13:19:20 -0400 Original-Received: by mail-ed1-f67.google.com with SMTP id c10so13420459edk.6 for <19479@debbugs.gnu.org>; Mon, 07 Sep 2020 10:19:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:user-agent :mime-version:date:message-id:subject:to; bh=dZAZLaKbwik1xcmwMelKA/E0njv//poxhEx6ThRSoS4=; b=d8pjWsqYclK/sm+w6yvbRY+nnD+nZOqgOKSs3rbRxhKwK+/AdtssI32rFofkrGAUk9 DVxUT+V7gPfTyhwE836wpVTiWmALtjwsy/f2wtJBNr4qkQSxuHMKQpkwobrzHrYD78lw Cem1tNxZcyO9Rm22/bsnZA+pKI5LuWhM+S9IPsz6FILNLMlj0wQ0zTdzx6zRT4auBctx TMgt1d85g6e9YNpGnADq9JnvMjsyNXhD791an6H6hrBtjrx/+4+zClHRZLfER3pJ2kkX qvf+UqaaJ9a3TjgawW1iCki03FbU2CGlKYcEr8SVvnopPQX/pC6SF30nRxKcVhmFJIsH X8BQ== X-Gm-Message-State: AOAM531fLZHVn2G7VrSHxs9clBLfLrgKty9MIJ2dC94+HVpmO+CmYwU+ 9HAWSfitFoXg8eRVf6roYZx8gn4I5MqoINFlKshpW1pN X-Google-Smtp-Source: ABdhPJxnScb9BWxsRVCKUkpJMoR6oh2Ak615ZHnHlPrlfpO/QI8k1ZiZyYoEvjtdwg9maAaT5+ZrmR9rRhhqbHFGcJI= X-Received: by 2002:a50:8524:: with SMTP id 33mr23748125edr.123.1599499154273; Mon, 07 Sep 2020 10:19:14 -0700 (PDT) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 7 Sep 2020 10:19:13 -0700 In-Reply-To: (Kelly Dean's message of "Thu, 01 Jan 2015 12:38:59 +0000") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:187460 Archived-At: Kelly Dean writes: > Stop distributing elpa-key signatures of packages, since they're > superfluous if you have package hashes in archive-contents and have > elpa-key signatures of archive-contents, and you already have the > latter. I disagree with this part. We should continue signing packages _at least_ until such a time that there is likely to be zero users left who are using an Emacs version without support for checking package hashes. > Optional alternative timestamp handling, as Ivan pointed out that > Debian does (at least sometimes): Instead of expiring archive-contents > after some limit configured in Emacs, put an explicit expiration date > in it. Personally, I don't like server-supplied expiration dates, kind > of for a similar reason that RMS doesn't like server-supplied > Javascript, or maybe just because I have too many irritating memories > of expired SSL certs. Is there any reason not to support both? Package archives could decide if they want to use this functionality or not, as could users. > One more feature: include in each version of archive-contents a hash (and > length) of the previous version of that file. This isn't necessary for > preventing any of the vulnerabilities above, but it's easy insurance that > slightly mitigates the disaster if the metadata signing key is compromised. It's > pointless unless both the above problems are fixed, so it makes sense to put it > here. Does anyone understand how this would improve security in our case? AFAIU, it can help with APT since they support distributing package metadata in several files. ELPA uses only one file, so I'm not sure it would make much of a difference?