From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Jean Louis <bugs@gnu.support>
Newsgroups: gmane.emacs.bugs
Subject: bug#19479: Package manager vulnerable to replay attacks
Date: Thu, 26 Nov 2020 06:56:44 +0300
Message-ID: <X78nfPw4ABaCtp0F@protected.rcdrun.com>
References: <OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local>
 <CADwFkm=XOkXyZB+SQut4wUq=cJDOyqjfnO3fPk_sG_UK+3qSFA@mail.gmail.com>
 <CADwFkm=LjmqwyJLF=JbxD81JM782WV=-A5-PVHi9u0OBZ-ncHQ@mail.gmail.com>
 <jwvsg8xc65z.fsf-monnier+emacs@gnu.org>
 <CADwFkmnKvC3KQhc5tdPTK9YtrcoUbCzyG1AW5Gn7_eK1OK9--A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="22515"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Mutt/2.0 (3d08634) (2020-11-07)
Cc: 19479@debbugs.gnu.org, Noam Postavsky <npostavs@gmail.com>,
 Stefan Monnier <monnier@iro.umontreal.ca>
To: Stefan Kangas <stefan@marxist.se>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Nov 26 06:08:31 2020
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1ki9WA-0005k8-NH
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 26 Nov 2020 06:08:30 +0100
Original-Received: from localhost ([::1]:41216 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1ki9W9-00022y-4z
	for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 26 Nov 2020 00:08:29 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:49282)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1ki9Vk-0001wj-Ew
 for bug-gnu-emacs@gnu.org; Thu, 26 Nov 2020 00:08:04 -0500
Original-Received: from debbugs.gnu.org ([209.51.188.43]:54849)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1ki9Vj-0000TG-5X
 for bug-gnu-emacs@gnu.org; Thu, 26 Nov 2020 00:08:04 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ki9Vj-0008FD-0I
 for bug-gnu-emacs@gnu.org; Thu, 26 Nov 2020 00:08:03 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Jean Louis <bugs@gnu.support>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 26 Nov 2020 05:08:02 +0000
Resent-Message-ID: <handler.19479.B19479.160636727431662@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 19479
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.160636727431662
 (code B ref 19479); Thu, 26 Nov 2020 05:08:02 +0000
Original-Received: (at 19479) by debbugs.gnu.org; 26 Nov 2020 05:07:54 +0000
Original-Received: from localhost ([127.0.0.1]:38160 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1ki9VZ-0008Ec-NL
 for submit@debbugs.gnu.org; Thu, 26 Nov 2020 00:07:53 -0500
Original-Received: from static.rcdrun.com ([95.85.24.50]:44237)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bugs@gnu.support>) id 1ki9VY-0008EQ-Rz
 for 19479@debbugs.gnu.org; Thu, 26 Nov 2020 00:07:53 -0500
Original-Received: from localhost ([::ffff:41.202.241.56])
 (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384)
 by static.rcdrun.com with ESMTPSA
 id 00000000002C0006.000000005FBF3822.00001017; Thu, 26 Nov 2020 05:07:45 +0000
Content-Disposition: inline
In-Reply-To: <CADwFkmnKvC3KQhc5tdPTK9YtrcoUbCzyG1AW5Gn7_eK1OK9--A@mail.gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:194261
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/194261>

* Stefan Kangas <stefan@marxist.se> [2020-11-26 05:07]:
> PS. Note that if we add a checksum, there will no longer be any need to
>     sign individual packages for future versions of Emacs.  We would
>     then only need to sign the metadata.

I do not know internals as I did not see yet signed package. But if
signed package fetched from GNU ELPA then such is verified against
official key on user's computer, right?

Now take in account that signed packages will be distributed through
mirrors and mirrors already exist.

If archive-contents or meta data is signed and can be technically used
by mirror, that would be fine. If archive-contents need to be changed
or mirror wants to mirror only specific packages then package need to
be signed.