From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Kelly Dean <kelly@prtime.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#19479: Package manager vulnerable
Date: Thu, 08 Jan 2015 11:40:25 +0000
Message-ID: <gJC92BoKwjBw4ZotCb43HoQHyLvVEn4ZGGyrbpU53VM@local>
References: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
	<jwvd26p7rga.fsf-monnier+emacsbugs@gnu.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1420717451 31223 80.91.229.3 (8 Jan 2015 11:44:11 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 8 Jan 2015 11:44:11 +0000 (UTC)
To: 19479@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Jan 08 12:44:05 2015
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Y9BTg-0007MN-KI
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 Jan 2015 12:42:12 +0100
Original-Received: from localhost ([::1]:45501 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Y9BTf-0008SE-Ti
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 Jan 2015 06:42:11 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56811)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y9BTb-0008S8-7C
	for bug-gnu-emacs@gnu.org; Thu, 08 Jan 2015 06:42:08 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y9BTW-00010W-Qa
	for bug-gnu-emacs@gnu.org; Thu, 08 Jan 2015 06:42:06 -0500
Original-Received: from debbugs.gnu.org ([140.186.70.43]:58775)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y9BTW-00010Q-Nv
	for bug-gnu-emacs@gnu.org; Thu, 08 Jan 2015 06:42:02 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y9BTW-0002dZ-8N
	for bug-gnu-emacs@gnu.org; Thu, 08 Jan 2015 06:42:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Kelly Dean <kelly@prtime.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 08 Jan 2015 11:42:02 +0000
Resent-Message-ID: <handler.19479.B19479.142071727910081@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 19479
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.142071727910081
	(code B ref 19479); Thu, 08 Jan 2015 11:42:02 +0000
Original-Received: (at 19479) by debbugs.gnu.org; 8 Jan 2015 11:41:19 +0000
Original-Received: from localhost ([127.0.0.1]:39908 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Y9BSp-0002cX-Cy
	for submit@debbugs.gnu.org; Thu, 08 Jan 2015 06:41:19 -0500
Original-Received: from relay3-d.mail.gandi.net ([217.70.183.195]:38051)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <kelly@prtime.org>) id 1Y9BSm-0002cJ-9v
	for 19479@debbugs.gnu.org; Thu, 08 Jan 2015 06:41:17 -0500
Original-Received: from mfilter17-d.gandi.net (mfilter17-d.gandi.net [217.70.178.145])
	by relay3-d.mail.gandi.net (Postfix) with ESMTP id 4EAC4A8109
	for <19479@debbugs.gnu.org>; Thu,  8 Jan 2015 12:41:15 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter17-d.gandi.net
Original-Received: from relay3-d.mail.gandi.net ([217.70.183.195])
	by mfilter17-d.gandi.net (mfilter17-d.gandi.net [10.0.15.180])
	(amavisd-new, 
	port 10024) with ESMTP id mKUpHm4WQn4J for <19479@debbugs.gnu.org>;
	Thu,  8 Jan 2015 12:41:14 +0100 (CET)
X-Originating-IP: 162.248.99.114
Original-Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
	[162.248.99.114]) (Authenticated sender: kelly@prtime.org)
	by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 268DDA80D8
	for <19479@debbugs.gnu.org>; Thu,  8 Jan 2015 12:41:12 +0100 (CET)
In-Reply-To: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:98111
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/98111>

BTW, Stefan mentioned (see bug #19536) that you don't use package-x for elpa.gnu.org, and instead use some other scripts, so it just occurred to me that you might not immediately notice that my patch not only verifies hashes, but also generates them, so there's nothing extra you need to do.

Just use package-upload-file from package-x.el, and it will automatically add the appropriate entry (including hash) for the package to the archive-contents file.

Apply the fix for bug #19536 if you want package-upload-file to correctly add tar files to the archive's package directory. (It already correctly adds single-file packages.)

GNU elpa, Melpa, and Marmalade can start using the new archive-contents now. Old clients will still work fine, and simply ignore the hashes. New clients will verify them.