From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Drew Adams Newsgroups: gmane.emacs.devel Subject: RE: ELPA policy Date: Thu, 12 Nov 2015 15:05:50 -0800 (PST) Message-ID: <1a993b13-0e96-4350-a132-7e8fb05afef4@default> References: <<87ziyuaqhl.fsf@petton.fr>>> <> <868u65afvh.fsf@stephe-leake.org> >> <<87lha5snji.fsf@isaac.fritz.box> >> <<87d1vhsmuj.fsf@isaac.fritz.box> >> <<878u65slue.fsf@isaac.fritz.box> >> <<874mgtsjwn.fsf@isaac.fritz.box> > <867flp8nb7.fsf@stephe-leake.org>> < <9e33129a-07d0-4abe-a94e-32d6d881519b@default> > <86bnb06g7g.fsf@stephe-leake.org>> > > <<86oaezemp9.fsf@stephe-leake.org>> <> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1447369583 6575 80.91.229.3 (12 Nov 2015 23:06:23 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 12 Nov 2015 23:06:23 +0000 (UTC) Cc: jwiegley@gmail.com, drew.adams@oracle.com, emacs-devel@gnu.org To: rms@gnu.org, Stephen Leake Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Nov 13 00:06:10 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Zx0wR-0002GF-6U for ged-emacs-devel@m.gmane.org; Fri, 13 Nov 2015 00:06:07 +0100 Original-Received: from localhost ([::1]:50192 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zx0wQ-0001vf-Jh for ged-emacs-devel@m.gmane.org; Thu, 12 Nov 2015 18:06:06 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36162) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zx0wN-0001um-9M for emacs-devel@gnu.org; Thu, 12 Nov 2015 18:06:04 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zx0wK-00030Z-2E for emacs-devel@gnu.org; Thu, 12 Nov 2015 18:06:03 -0500 Original-Received: from userp1040.oracle.com ([156.151.31.81]:19387) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zx0wJ-00030R-R8; Thu, 12 Nov 2015 18:05:59 -0500 Original-Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tACN5rje015830 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 12 Nov 2015 23:05:53 GMT Original-Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id tACN5qmV030634 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 12 Nov 2015 23:05:52 GMT Original-Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id tACN5qs7030889; Thu, 12 Nov 2015 23:05:52 GMT In-Reply-To: <> X-Priority: 3 X-Mailer: Oracle Beehive Extensions for Outlook 2.0.1.9 (901082) [OL 12.0.6691.5000 (x86)] X-Source-IP: aserv0021.oracle.com [141.146.126.233] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] X-Received-From: 156.151.31.81 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:194302 Archived-At: > > Any malicious hacker can drop completely different code in that web > > page, and thus get it into Gnu ELPA. >=20 > Drew said the pages were locked. > Doesn't that mean that only he has access to change them? No, anyone with admin privileges for the wiki has access to do so. There are a few people in this category. And see Alex Schroeder's clarification of what this means. This is not watertight security, by any means. Perhaps one way to look at it is similar to submitting something by email (which would be another possibility, for me). > > We will have replaced the security of private machines with whatever > > web login that web page requires; that's a huge step backwards. >=20 > I think you are concerned that someone might break the security on that > other server and then install changes on it using Drew's account. See above. > In general, someone who breaks the security on a machine used by > an Emacs contributor might be able to insert changes in Emacs > by pretending to be that contributor. I don't think this is > fundamentally different. But maybe the web site's security is > not quite as good. >=20 > We can make the security tighter. Drew, are you willing to GPG-sign > your new versions? I don't really know what that entails. Dunno whether you really want to discuss my case in particular in detail here. Again, I doubt that it is typical. The reason for my initial message about this was to suggest that some people do use MELPA, and that perhaps some way to accommodate them could be devised. But maybe not. To repeat the summary of my original point: So you might recommend that packages not be put in MELPA, but some will continue to be put there, including perhaps some that you might someday want to include in Emacs. Regarding my own case, this was the point: I do not use GIT, so any updates I make to them would not be done directly in the repository. It was not acceptable to update elsewhere (e.g. the wiki) and then have someone or a program pull from there to the repository when appropriate. In sum, some people will post code to MELPA, including some that you might someday want in Emacs. And some input to MELPA comes from the wiki, not from GIT - but this is probably a small portion of what is in MELPA.