From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.bugs Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits Date: Sat, 25 Feb 2023 21:59:45 -0500 Message-ID: References: <87pmapqoo5.fsf@daniel-mendler.de> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="25896"; mail-complaints-to="usenet@ciao.gmane.io" Cc: mail@daniel-mendler.de, 61277@debbugs.gnu.org, yantar92@posteo.net, monnier@iro.umontreal.ca To: Stefan Kangas Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Feb 26 04:00:30 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pW7H3-0006Zk-QC for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 26 Feb 2023 04:00:30 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pW7Gs-0007bt-Vd; Sat, 25 Feb 2023 22:00:19 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pW7Gg-0007YF-DL for bug-gnu-emacs@gnu.org; Sat, 25 Feb 2023 22:00:07 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pW7Gd-00006l-S2 for bug-gnu-emacs@gnu.org; Sat, 25 Feb 2023 22:00:04 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pW7Gd-0002Qk-My for bug-gnu-emacs@gnu.org; Sat, 25 Feb 2023 22:00:03 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Richard Stallman Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 26 Feb 2023 03:00:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61277 X-GNU-PR-Package: emacs Original-Received: via spool by 61277-submit@debbugs.gnu.org id=B61277.16773804029335 (code B ref 61277); Sun, 26 Feb 2023 03:00:03 +0000 Original-Received: (at 61277) by debbugs.gnu.org; 26 Feb 2023 03:00:02 +0000 Original-Received: from localhost ([127.0.0.1]:42040 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pW7Gb-0002QK-Vr for submit@debbugs.gnu.org; Sat, 25 Feb 2023 22:00:02 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:48358) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pW7GS-0002PK-Us for 61277@debbugs.gnu.org; Sat, 25 Feb 2023 21:59:53 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pW7GM-0008MB-Bh; Sat, 25 Feb 2023 21:59:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=ul2ACyZlXEvNikot5yngKC+47UdwfFG5Fd57KRXurYQ=; b=PUD59ky5INVH iZK2iBLRJrlMyCcjpx0Xz/ZxXFJmsB1eTPGYKuMGqQdwyWKrQcPysrKk7GcyMqZzr2xzCpUnyW+x+ HnAT83tHNiRvTsrDVsJg3v5rq4yDyz7LsaRLUxMk+nIxo1UMB+IA9ADeCzV6x8+o4QaQo+IB0NaiZ eo8kzJPwleEHUGFoL+pf1kM9iTWUK9SmM31LEpu2H7blV/7WufbxV+2UxdSdMJvdF1f755gb9mrti 8MT1tuMVK+D1uQDPDPtZYOJnvavwr+RTjroto2yqbEOstxdz66ucVQ9OUmXum5UrJ2ArT+4TKhEdg rNhlnLa8Aho4SshmlLDnfw==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1pW7GL-0007zb-WE; Sat, 25 Feb 2023 21:59:46 -0500 In-Reply-To: (message from Stefan Kangas on Wed, 15 Feb 2023 05:37:36 -0800) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:256761 Archived-At: Please forgive my delay in replying. > If an attacker can introduce a commit containing malicious code, and > create a new git tag pointing to that commit, the GNU ELPA scripts will > fetch it, and release a new version of the package (now including the > malicious code). By requiring tags to be cryptographically signed, we > can have a greater confidence that any new tag has at the very least > been signed off by the developer him/herself. This seems wise to me. Does anyone have arguments against? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)