From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.bugs Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits Date: Wed, 15 Feb 2023 00:17:21 -0500 Message-ID: References: <87pmapqoo5.fsf@daniel-mendler.de> <23c855a2-4330-6da8-6a05-72f26e4ebc5b@daniel-mendler.de> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="30761"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 61277@debbugs.gnu.org, yantar92@posteo.net, stefankangas@gmail.com, monnier@iro.umontreal.ca To: Daniel Mendler Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Feb 15 06:18:40 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pSABk-0007jb-40 for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 15 Feb 2023 06:18:40 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pSABB-0004tA-0n; Wed, 15 Feb 2023 00:18:05 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSAB9-0004sR-6R for bug-gnu-emacs@gnu.org; Wed, 15 Feb 2023 00:18:03 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pSAB8-00019t-TT for bug-gnu-emacs@gnu.org; Wed, 15 Feb 2023 00:18:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pSAB8-0007BZ-P9 for bug-gnu-emacs@gnu.org; Wed, 15 Feb 2023 00:18:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Richard Stallman Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 15 Feb 2023 05:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61277 X-GNU-PR-Package: emacs Original-Received: via spool by 61277-submit@debbugs.gnu.org id=B61277.167643825127560 (code B ref 61277); Wed, 15 Feb 2023 05:18:02 +0000 Original-Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 05:17:31 +0000 Original-Received: from localhost ([127.0.0.1]:57573 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pSAAc-0007AN-FT for submit@debbugs.gnu.org; Wed, 15 Feb 2023 00:17:31 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:53570) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pSAAa-00079t-1e for 61277@debbugs.gnu.org; Wed, 15 Feb 2023 00:17:28 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSAAU-000155-I7; Wed, 15 Feb 2023 00:17:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=isE/kQ+GDgG4r04BFNww8y6Hie2X/OVhW3zgWLsH3Ak=; b=fp/U6CLinJCZ f3y5n9bSqpXjJ3WSmDyOW6LtrQaBiauPif9g9UNAIkfDeV1Fu2gkgKApsxuUN4+7OvJ+6orqEZQmq o8/xvNmERKgSK6yjWharMhgloQYLQlvO3BlBd73xw8u4/XFTJxmLvVdKSq38Ycy/cQUrYOLzNGCEu Y1zn5PrMCUV1hznCxu+kJvGu8UZl0hFyVliTfBwIvKLQp3D7ov/74w6sXFSybkabvmkR1gy4A3nOv qlRq492MCBBW1gb5c6I/KA2Y4Pu9yRytU9LW6CUEX4A7GE7AONCUc3X2LlJb1aWLHvg/T8nXg7AiY 43Zwo7JRUMG4jGfGJQ/0ew==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1pSAAT-0002sj-AC; Wed, 15 Feb 2023 00:17:21 -0500 In-Reply-To: <23c855a2-4330-6da8-6a05-72f26e4ebc5b@daniel-mendler.de> (message from Daniel Mendler on Sun, 12 Feb 2023 11:32:36 +0100) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:255666 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > There could also be a breach on the server where the git repository is > hosted. The repository could be manipulated directly on the server. It > is not that likely but if such incidents happen they have a huge > fallout. I also expect that more and more people move their > :auto-sync'ed git repositories to private servers or smaller forges, > which may not be as protected as the most popular ones. Do we know of any security experts who appeciate the moral principles of free software, who could help us come up with methods that properly handle both? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)