From: Stefan Monnier <monnier@IRO.UMontreal.CA>
To: Glenn Morris <rgm@gnu.org>
Cc: 32544@debbugs.gnu.org, Michael Albinus <michael.albinus@gmx.de>
Subject: bug#32544: [ELPA] core packages need generated files
Date: Mon, 27 Aug 2018 20:15:28 -0400 [thread overview]
Message-ID: <jwvh8jfnym8.fsf-monnier+emacsbugs@gnu.org> (raw)
In-Reply-To: <4dh8jfo090.fsf@fencepost.gnu.org> (Glenn Morris's message of "Mon, 27 Aug 2018 19:31:07 -0400")
> Is the concern privilege escalation in build recipes in malicious elpa
> packages?
Yes.
> But couldn't the same package run the same bad code at package install
> time on the end user's machine, today and for as long as elpa.gnu.org
> has existed?
Yes. Tho not only "at package install time", since that same bad code
can be run any time later when the package is activated or loaded...
> Ie, if we assume malicious code can get into elpa packages with no-one
> noticing, the whole system is already broken anyway?
Yup.
> But if you want to make the elpa system more secure one piece at a time,
> that's obviously no bad thing.
I think the reasons why I'm more worried about elpa.gnu.org than the
end-user's machines include:
- very little time between the moment we receive the commit-diffs by
email and the moment the code is run. So even if we notice the
offending code on the spot, there's not much time to react.
- elpa.gnu.org is part of infrastructure that Emacs users trust when
downloading GNU ELPA packages (e.g. it holds the PGP signing key), so
a breach could affect all GNU ELPA users (especially if not
noticed).
Stefan
next prev parent reply other threads:[~2018-08-28 0:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-27 15:05 bug#32544: [ELPA] core packages need generated files Michael Albinus
2018-08-27 15:21 ` Stefan Monnier
2018-08-27 15:34 ` Michael Albinus
2018-08-27 15:52 ` Stefan Monnier
2018-08-28 15:17 ` Philippe Vaucher
2018-08-27 23:31 ` Glenn Morris
2018-08-28 0:15 ` Stefan Monnier [this message]
2018-08-28 2:13 ` Glenn Morris
2018-08-28 11:54 ` Stefan Monnier
2020-12-20 17:20 ` Stefan Monnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=jwvh8jfnym8.fsf-monnier+emacsbugs@gnu.org \
--to=monnier@iro.umontreal.ca \
--cc=32544@debbugs.gnu.org \
--cc=michael.albinus@gmx.de \
--cc=rgm@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).