From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.bugs Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits Date: Mon, 06 Feb 2023 22:56:35 -0500 Message-ID: References: <87pmapqoo5.fsf@daniel-mendler.de> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="28663"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 61277@debbugs.gnu.org, stefan@marxist.se, yantar92@posteo.net, monnier@iro.umontreal.ca To: Daniel Mendler Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Feb 07 04:57:32 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pPF6p-0007Ej-Io for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 07 Feb 2023 04:57:31 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pPF6P-0000fT-P4; Mon, 06 Feb 2023 22:57:05 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pPF6N-0000eO-17 for bug-gnu-emacs@gnu.org; Mon, 06 Feb 2023 22:57:03 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pPF6M-0001MK-7S for bug-gnu-emacs@gnu.org; Mon, 06 Feb 2023 22:57:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pPF6L-0007wz-MI for bug-gnu-emacs@gnu.org; Mon, 06 Feb 2023 22:57:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Richard Stallman Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 07 Feb 2023 03:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61277 X-GNU-PR-Package: emacs Original-Received: via spool by 61277-submit@debbugs.gnu.org id=B61277.167574220430519 (code B ref 61277); Tue, 07 Feb 2023 03:57:01 +0000 Original-Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 03:56:44 +0000 Original-Received: from localhost ([127.0.0.1]:50606 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pPF64-0007wB-1H for submit@debbugs.gnu.org; Mon, 06 Feb 2023 22:56:44 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:39556) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pPF61-0007vy-VJ for 61277@debbugs.gnu.org; Mon, 06 Feb 2023 22:56:42 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pPF5v-0001Dg-JK; Mon, 06 Feb 2023 22:56:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=JAgKqSZFePsxZy6sKLQAzeH0HYamokRH2b1Ir2nsLh8=; b=QE3T208K1Qp1 kvXJE4VAK9nrKz2/QVF/epFw2pZ9oa/gdixEcRLEHNBRYlpCsQLz751PH7HmOlakiKqLVTPYKxEjf zxck5kHC/xUDpmLkplT2himfbjSLG/cUIzMbTsJtSrZAfh210sJtbrbXlCpOu2095HJ7xgOVKDhLO cWC+0ztaJ/QIW3BKt4S401oSatQ1eYxpRrvuPOCv1OcCl5YYWRgVLR4/s3RI+HhTTgAj1efW0yNtj VK26q3oJxgcrPVGOnLJQ9IO4mjbz3LFNF/jhqwwOjwGMwiG0iO/juD4FvZlCXbXd1b3KjppC+vdf5 JJS80l0l9Bt3DWU3b/rJIA==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1pPF5v-0007YZ-6K; Mon, 06 Feb 2023 22:56:35 -0500 In-Reply-To: <87pmapqoo5.fsf@daniel-mendler.de> (message from Daniel Mendler on Sat, 04 Feb 2023 19:19:06 +0100) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:255018 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > As discussed on emacs-devel it would be good if ELPA security could be > improved, preventing potential breaches on the side of the source > repository. This feature becomes more relevant the more packages are > :auto-sync'ed from their source repository. I agree that we need to clean up the social system for maintaining GNU ELPA packages. It should be as clear and documented as that for Emacs core. > My git commits are usually signed, so one could check the signature of > each commit which leads to a package build. This feature could be opt-in > for now, enabled via an attribute :signature in the elpa-packages > configuration. Maybe elpa-packages could store the fingerprint(s) of the > expected GPG key(s)? What do other maintainers think of this? It addresses one ways of handlng GNU ELPA packagesm, but not all GNU ELPA packages are handled in this way. What other categories of packages do we need to consider? > In the case of a breach, Breach of precisely what? To think about this issue requires an answer to that question. both the SSH and GPG keys may be stolen, which > would allow an attacker to create commits on hosted repositories, such > that the mechanism would not help. However the source repository may > also get compromised via other vectors. Is this a problem that has a solution? Should we move this to emacs-devel? A specific bug ticket is not the right place for such an important topic. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)