From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: MELPA issues - Re: Proposal for an Emacs User Survey Date: Fri, 16 Oct 2020 19:33:45 +0300 Message-ID: <20201016163345.GD3216@protected.rcdrun.com> References: <20201011120840.GC2923@protected.rcdrun.com> <20201011125031.GC6784@odonien.localdomain> <20201012050418.GZ2923@protected.rcdrun.com> <20201013052736.GE31408@protected.rcdrun.com> <20201016130235.06218dae@argon> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="35636"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/1.14.0 (2020-05-02) Cc: Richard Stallman , thibaut.verron@gmail.com, emacs-devel@gnu.org To: Marcel Ventosa Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Oct 16 18:38:39 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kTSkX-0009A8-C3 for ged-emacs-devel@m.gmane-mx.org; Fri, 16 Oct 2020 18:38:37 +0200 Original-Received: from localhost ([::1]:58324 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kTSkW-0001UQ-9e for ged-emacs-devel@m.gmane-mx.org; Fri, 16 Oct 2020 12:38:36 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53844) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kTSfx-0006Bd-Oj for emacs-devel@gnu.org; Fri, 16 Oct 2020 12:33:53 -0400 Original-Received: from static.rcdrun.com ([95.85.24.50]:46519) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kTSfv-0002Ls-IA; Fri, 16 Oct 2020 12:33:53 -0400 Original-Received: from localhost ([::ffff:41.202.241.58]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002A0B3E.000000005F89CB6C.00005671; Fri, 16 Oct 2020 16:33:48 +0000 Content-Disposition: inline In-Reply-To: <20201016130235.06218dae@argon> Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/16 12:33:49 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:257834 Archived-At: * Marcel Ventosa [2020-10-16 09:03]: > On Thu, 15 Oct 2020 23:59:07 -0400 > Richard Stallman wrote: > > > I hope that only a minority of Emacs users know about MELPA, and I'd > > rather not inform the rest about it. But if something is going to > > inform them anyway, it is better to do it with a denunciation. > > > I've been using Emacs (and MELPA) for the best part of a decade and > knew nothing about this! I'm concerned to use only free software and > actively avoid proprietary software, so this is a bit of a shock. > > Is there anywhere I can read more about this issue? I have not checked all the software on MELPA, but due to Github policies that free (of charge)repositories should have only free (as in liberty)software licenses, I am assuming that probably none of those software is non-free. But there can be MELPA software that is vague because maybe maintainers have not put the proper license, which is often the case. The software provided by MELPA may lead users to non-free software or may control non-free software or be made exclusively for usage of free software. Example that I have found is ChatWork package, it works with ChatWork chat software, for which I only assume it is proprietary, I have not checked it very good, it seemed to be so from verification of their website. Corporations can very easily sponsor somebody to provide software for Emacs to provide features that control or interact with their proprietary software. It is also method of advertising. Then there is software to access various websites, let us say software that provides quotes from specific website, it could be funny quote or smart one, but maybe the purpose is simply advertising. Finally, fetching something from other website I consider dangerous, package itself need not be, but other packages following, could be easily dangerous. More danger from MELPA comes from the fact that MELPA is not verifying the packages, not that I know, I have read they said they are not doing it. There is plethora of insecurities on MELPA. It is far from harmless. So far I understood, the packages arriving to GNU ELPA are assigned with copyright to FSF, I am also assuming as user that such packages are somehow reviewed by developers, not just one developer, and that they are placed into ELPA as duplicate or copy from the upstream. I may be wrong in all that assumption, but I think that GNU ELPA packages are verified for freedom and mostly for security and safety of users. We are speaking of loading true programming language code and executing such on users' computers. It is not equivalent to Javascript, it is far more dangerous than Javascript which tend to execute in safe environment, which tends to execute in such way as not to abuse users' computers and data, yet people have found ways to crack browsers and to crack and enter into users' file systems, there are many ways how Javascript can be malicious. The more packages there are that are not verified, but simple offered for download through MELPA, the more and more insecurities are coming in future. MELPA is allowing Google to track users by using Google Analytics on their website, that speaks already about the webmaster's lack of skills in managing the website. There are so many free software programs for web statistics, and there is no need for third party tracking. Now, the real insecurity comes from program that are sourced from Github. If there are 4000+ packages, there can be 1000+ authors, maybe even 2000+ authors. Each of those authors represent insecurity to computing, as their packages are not verified each time they are pulled, they are blindly trusted. The blind trust to MELPA packages is what is making it highly insecure for computer users. It requires just 1 author for their accounts to be cracked and for malicious code to be inserted, thousands of computer users can be affected that way. Finally, author can go nut himself, and can become psychotic, there are programmers who became so, they can introduce malicious code themselves, or can do it by claiming it was somebody else. Packages that I think do not belong in free software repository for reason they are using proprietary information or wrapping proprietary software, or use known spying networks: babel - that uses non-free Babelfish translations (if I am mistaken tell me) chatwork - that uses non-free ChatWork proprietary chat software bing-dict - that uses Microsoft Bing proprietary dictionary calfw-gcal - to edit Google calendar Obviously I came to letter C, I could browse more and find more troublesome packages. Yet major insecurity is number of packages where they are not verified by human to be safe and blind offering and blind acceptance by users thinking they are safe. Jean