From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Richard Stallman <rms@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git
 commits
Date: Sat, 25 Feb 2023 21:59:45 -0500
Message-ID: <E1pW7GL-0007zb-WE@fencepost.gnu.org>
References: <87pmapqoo5.fsf@daniel-mendler.de>
 <E1pPF5v-0007YZ-6K@fencepost.gnu.org>
 <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@mail.gmail.com>
 <E1pSAAM-0002rh-D8@fencepost.gnu.org>
 <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@mail.gmail.com>
Reply-To: rms@gnu.org
Content-Type: text/plain; charset=Utf-8
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="25896"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: mail@daniel-mendler.de, 61277@debbugs.gnu.org, yantar92@posteo.net,
 monnier@iro.umontreal.ca
To: Stefan Kangas <stefankangas@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Feb 26 04:00:30 2023
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1pW7H3-0006Zk-QC
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 26 Feb 2023 04:00:30 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1pW7Gs-0007bt-Vd; Sat, 25 Feb 2023 22:00:19 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pW7Gg-0007YF-DL
 for bug-gnu-emacs@gnu.org; Sat, 25 Feb 2023 22:00:07 -0500
Original-Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pW7Gd-00006l-S2
 for bug-gnu-emacs@gnu.org; Sat, 25 Feb 2023 22:00:04 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1pW7Gd-0002Qk-My
 for bug-gnu-emacs@gnu.org; Sat, 25 Feb 2023 22:00:03 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Richard Stallman <rms@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sun, 26 Feb 2023 03:00:03 +0000
Resent-Message-ID: <handler.61277.B61277.16773804029335@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 61277
X-GNU-PR-Package: emacs
Original-Received: via spool by 61277-submit@debbugs.gnu.org id=B61277.16773804029335
 (code B ref 61277); Sun, 26 Feb 2023 03:00:03 +0000
Original-Received: (at 61277) by debbugs.gnu.org; 26 Feb 2023 03:00:02 +0000
Original-Received: from localhost ([127.0.0.1]:42040 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pW7Gb-0002QK-Vr
 for submit@debbugs.gnu.org; Sat, 25 Feb 2023 22:00:02 -0500
Original-Received: from eggs.gnu.org ([209.51.188.92]:48358)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@gnu.org>) id 1pW7GS-0002PK-Us
 for 61277@debbugs.gnu.org; Sat, 25 Feb 2023 21:59:53 -0500
Original-Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@gnu.org>)
 id 1pW7GM-0008MB-Bh; Sat, 25 Feb 2023 21:59:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=ul2ACyZlXEvNikot5yngKC+47UdwfFG5Fd57KRXurYQ=; b=PUD59ky5INVH
 iZK2iBLRJrlMyCcjpx0Xz/ZxXFJmsB1eTPGYKuMGqQdwyWKrQcPysrKk7GcyMqZzr2xzCpUnyW+x+
 HnAT83tHNiRvTsrDVsJg3v5rq4yDyz7LsaRLUxMk+nIxo1UMB+IA9ADeCzV6x8+o4QaQo+IB0NaiZ
 eo8kzJPwleEHUGFoL+pf1kM9iTWUK9SmM31LEpu2H7blV/7WufbxV+2UxdSdMJvdF1f755gb9mrti
 8MT1tuMVK+D1uQDPDPtZYOJnvavwr+RTjroto2yqbEOstxdz66ucVQ9OUmXum5UrJ2ArT+4TKhEdg
 rNhlnLa8Aho4SshmlLDnfw==;
Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@gnu.org>)
 id 1pW7GL-0007zb-WE; Sat, 25 Feb 2023 21:59:46 -0500
In-Reply-To: <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@mail.gmail.com>
 (message from Stefan Kangas on Wed, 15 Feb 2023 05:37:36 -0800)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:256761
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/256761>

Please forgive my delay in replying.

  > If an attacker can introduce a commit containing malicious code, and
  > create a new git tag pointing to that commit, the GNU ELPA scripts will
  > fetch it, and release a new version of the package (now including the
  > malicious code).  By requiring tags to be cryptographically signed, we
  > can have a greater confidence that any new tag has at the very least
  > been signed off by the developer him/herself.

This seems wise to me.  Does anyone have arguments against?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)