bug#61277: FR: ELPA security - Restrict package builds to signed git commits

[Richard Stallman <rms@gnu.org>]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > As discussed on emacs-devel it would be good if ELPA security could be
  > improved, preventing potential breaches on the side of the source
  > repository. This feature becomes more relevant the more packages are
  > :auto-sync'ed from their source repository.

I agree that we need to clean up the social system for maintaining GNU ELPA
packages.  It should be as clear and documented as that for Emacs core.

  > My git commits are usually signed, so one could check the signature of
  > each commit which leads to a package build. This feature could be opt-in
  > for now, enabled via an attribute :signature in the elpa-packages
  > configuration. Maybe elpa-packages could store the fingerprint(s) of the
  > expected GPG key(s)?

What do other maintainers think of this?

It addresses one ways of handlng GNU ELPA packagesm, but not all GNU
ELPA packages are handled in this way.  What other categories of
packages do we need to consider?

  > In the case of a breach,

Breach of precisely what?  To think about this issue
requires an answer to that question.

                             both the SSH and GPG keys may be stolen, which
  > would allow an attacker to create commits on hosted repositories, such
  > that the mechanism would not help. However the source repository may
  > also get compromised via other vectors.

Is this a problem that has a solution?

Should we move this to emacs-devel?  A specific bug ticket
is not the right place for such an important topic.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)