From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Thomas Koch <thomas@koch.ro>
Newsgroups: gmane.emacs.devel
Subject: Re: Security in the emacs package ecosystem
Date: Sat, 11 Mar 2023 21:45:52 +0200 (EET)
Message-ID: <1738536780.363804.1678563952044@office.mailbox.org>
References: <8735hatt4m.fsf@alshehhi.io> <87fsblfuc6.fsf@localhost>
 <CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com>
 <87wn4gd232.fsf@localhost>
 <CADwFkm=7XcgxNoAN380sYpq+xJRH8_tJSkachv6tE4bdtJ9oyw@mail.gmail.com>
 <87a61bkzq9.fsf@localhost> <83edqnyz00.fsf@gnu.org>
 <E1pTyZW-00006P-AE@fencepost.gnu.org>
 <CAO2hHWZ6mz6oCmeFrxKj9KN1J2=Y_wCe94LzjBcNMr3WPy2p6g@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="33719"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: Eli Zaretskii <eliz@gnu.org>, yantar92@posteo.net,
 stefankangas@gmail.com, husain@alshehhi.io, emacs-devel@gnu.org
To: chad <yandros@gmail.com>, rms@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Mar 11 20:46:58 2023
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1pb5BC-0008ZG-1s
	for ged-emacs-devel@m.gmane-mx.org; Sat, 11 Mar 2023 20:46:58 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1pb5AN-0002nk-QR; Sat, 11 Mar 2023 14:46:07 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <thomas@koch.ro>) id 1pb5AM-0002na-1V
 for emacs-devel@gnu.org; Sat, 11 Mar 2023 14:46:06 -0500
Original-Received: from mout-p-101.mailbox.org ([2001:67c:2050:0:465::101])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <thomas@koch.ro>)
 id 1pb5AH-00065t-Ep; Sat, 11 Mar 2023 14:46:05 -0500
Original-Received: from smtp1.mailbox.org (smtp1.mailbox.org
 [IPv6:2001:67c:2050:b231:465::1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4PYth16xxZz9sTc;
 Sat, 11 Mar 2023 20:45:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=koch.ro; s=MBO0001;
 t=1678563954;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=nDFobQ0LyVOLurtMs22y74VVaqKA4vbCGh2UWzA4GI0=;
 b=EK/y6GL9KbSisdKF/5AJA6Q/T2h6sSabxsChSyml23BGTzkC3ryN827KQIKANbH1o8U5hY
 mBGJEo0Xseeb7GiFpbIMTgdyD4hWc9bCB9rHcUf7E29tukF+D9ZjlPyoc6fEafJZViTfTk
 iEL0XiMlrQSN/Rz9SrW0jSit6MfFXJJFX8tc3GYA7BniWaPsUj+uU27UYABegSyESzXScT
 2dR0AjA0o0wpDBchlDhaTfn+qEcJUj6nisXeQGvszvP17+4BuQHsNBH5AaFLhU76hbolLf
 5Nl5bXCyLQ23dKHMUB13BDkgdjWlUOAwB7JpkbsnrzD9hqzcnHOHDcPNjPLVOw==
In-Reply-To: <CAO2hHWZ6mz6oCmeFrxKj9KN1J2=Y_wCe94LzjBcNMr3WPy2p6g@mail.gmail.com>
X-Priority: 3
Importance: Normal
X-Rspamd-Queue-Id: 4PYth16xxZz9sTc
Received-SPF: pass client-ip=2001:67c:2050:0:465::101;
 envelope-from=thomas@koch.ro; helo=mout-p-101.mailbox.org
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:304339
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/304339>

I believe, the question of the original poster has not been addressed. It was about Emacs packages, not about Emacs itself.

The Emacs manual only mentions, that package archives can be signed and that "Package archives should provide instructions on how you can obtain their public key." (emacs, 48.3 Package Installation)

There are no such instructions on https://elpa.gnu.org nor is there any information on security.

(Somewhat rude question: Is Gnu Emacs trusting the security of its users to Microsofts GitHub?)

Related:

- https://www.reddit.com/r/emacs/comments/63e8hu/are_emacs_package_repositories_a_security_risk/
- 2013 thread: "security of the emacs package system, elpa, melpa and marmalade"
  https://lists.gnu.org/archive/html/emacs-devel/2013-09/msg00450.html
- https://theupdateframework.io should be helpful for anybody working on software update systems