unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Thomas Koch <thomas@koch.ro>
To: chad <yandros@gmail.com>, rms@gnu.org
Cc: Eli Zaretskii <eliz@gnu.org>,
	yantar92@posteo.net, stefankangas@gmail.com, husain@alshehhi.io,
	emacs-devel@gnu.org
Subject: Re: Security in the emacs package ecosystem
Date: Sat, 11 Mar 2023 21:45:52 +0200 (EET)	[thread overview]
Message-ID: <1738536780.363804.1678563952044@office.mailbox.org> (raw)
In-Reply-To: <CAO2hHWZ6mz6oCmeFrxKj9KN1J2=Y_wCe94LzjBcNMr3WPy2p6g@mail.gmail.com>

I believe, the question of the original poster has not been addressed. It was about Emacs packages, not about Emacs itself.

The Emacs manual only mentions, that package archives can be signed and that "Package archives should provide instructions on how you can obtain their public key." (emacs, 48.3 Package Installation)

There are no such instructions on https://elpa.gnu.org nor is there any information on security.

(Somewhat rude question: Is Gnu Emacs trusting the security of its users to Microsofts GitHub?)

Related:

- https://www.reddit.com/r/emacs/comments/63e8hu/are_emacs_package_repositories_a_security_risk/
- 2013 thread: "security of the emacs package system, elpa, melpa and marmalade"
  https://lists.gnu.org/archive/html/emacs-devel/2013-09/msg00450.html
- https://theupdateframework.io should be helpful for anybody working on software update systems



  reply	other threads:[~2023-03-11 19:45 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-15 20:53 Security in the emacs package ecosystem Husain Alshehhi
2023-02-04 13:12 ` Ihor Radchenko
2023-02-04 16:59   ` Stefan Kangas
2023-02-17 10:21     ` Ihor Radchenko
2023-02-17 10:23       ` Ihor Radchenko
2023-02-17 15:54       ` Stefan Kangas
2023-02-18 10:57         ` Ihor Radchenko
2023-02-18 11:49           ` Eli Zaretskii
2023-02-20  5:18             ` Richard Stallman
2023-02-20  6:23               ` Po Lu
2023-02-20 17:38               ` chad
2023-03-11 19:45                 ` Thomas Koch [this message]
2023-03-14  4:00                   ` Richard Stallman
2023-02-18 11:54           ` Making `package-check-signature' more restrictive by default Stefan Kangas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1738536780.363804.1678563952044@office.mailbox.org \
    --to=thomas@koch.ro \
    --cc=eliz@gnu.org \
    --cc=emacs-devel@gnu.org \
    --cc=husain@alshehhi.io \
    --cc=rms@gnu.org \
    --cc=stefankangas@gmail.com \
    --cc=yandros@gmail.com \
    --cc=yantar92@posteo.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).