From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Marcel Ventosa Newsgroups: gmane.emacs.devel Subject: Re: MELPA issues - Re: Proposal for an Emacs User Survey Date: Sat, 17 Oct 2020 09:59:18 +0700 Message-ID: <20201017095918.0932fe2e@argon> References: <20201011120840.GC2923@protected.rcdrun.com> <20201011125031.GC6784@odonien.localdomain> <20201012050418.GZ2923@protected.rcdrun.com> <20201013052736.GE31408@protected.rcdrun.com> <20201016130235.06218dae@argon> <20201016163345.GD3216@protected.rcdrun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="20837"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Richard Stallman , thibaut.verron@gmail.com, emacs-devel@gnu.org To: Jean Louis Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 17 05:01:04 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kTcSu-0005JE-CN for ged-emacs-devel@m.gmane-mx.org; Sat, 17 Oct 2020 05:01:04 +0200 Original-Received: from localhost ([::1]:45104 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kTcSt-00062Z-Bt for ged-emacs-devel@m.gmane-mx.org; Fri, 16 Oct 2020 23:01:03 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60098) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kTcRc-0005Sf-NI for emacs-devel@gnu.org; Fri, 16 Oct 2020 22:59:44 -0400 Original-Received: from aibo.runbox.com ([91.220.196.211]:55382) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kTcRa-0007zZ-0r; Fri, 16 Oct 2020 22:59:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=runbox.com; s=selector1; h=Content-Transfer-Encoding:Content-Type:MIME-Version: References:In-Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=UolqrW7P1eqN6Yx1fovybgjWo8Sih4OOxY8dP19DkvU=; b=N6+cq44cFp65xS/2AyAd77jsRT LH6hh4xQXU661QyGevrpuuKd4wpOxcQzx11WQQIDnVMKjoxmIp/7+rkF7/sOT5IMVSudswPXSO4nG CnuIJHE6878kUlC6cTK6KQ9c0aJZR7hu3o7ByiYpVRYGp4yao814/HX/s9qPJAQv6O3GTapWq+BZU pEq21FpdT8AHrrR1Y/WHjwFMtD+trw8FLxCXG1rD/GTeSWLB5tr52lYbHn0m64G9t7bZ2IAWsLBhp a382rXNQBEVXiF5UU4ZHrF/Co376/RAlDEhPQ59KInbs0Vxw8Vg+VT6JXshJEvlwJjVn9eLMK1dWL 3rxVWa+Q==; Original-Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1kTcRU-0004gd-A8; Sat, 17 Oct 2020 04:59:36 +0200 Original-Received: by submission02.runbox with esmtpsa [Authenticated alias (585453)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1kTcRN-0007RL-76; Sat, 17 Oct 2020 04:59:30 +0200 In-Reply-To: <20201016163345.GD3216@protected.rcdrun.com> X-Mailer: Claws Mail 3.17.7 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Received-SPF: pass client-ip=91.220.196.211; envelope-from=mve1@runbox.com; helo=aibo.runbox.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/16 21:03:16 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -24 X-Spam_score: -2.5 X-Spam_bar: -- X-Spam_report: (-2.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:257890 Archived-At: Thank you for your explanation Jean Louis. On Fri, 16 Oct 2020 19:33:45 +0300 Jean Louis wrote: > * Marcel Ventosa [2020-10-16 09:03]: > > On Thu, 15 Oct 2020 23:59:07 -0400 > > Richard Stallman wrote: > > > > > I hope that only a minority of Emacs users know about MELPA, and > > > I'd rather not inform the rest about it. But if something is > > > going to inform them anyway, it is better to do it with a > > > denunciation. > > > > > > I've been using Emacs (and MELPA) for the best part of a decade and > > knew nothing about this! I'm concerned to use only free software and > > actively avoid proprietary software, so this is a bit of a shock. > > > > Is there anywhere I can read more about this issue? > > I have not checked all the software on MELPA, but due to Github > policies that free (of charge)repositories should have only free (as > in liberty)software licenses, I am assuming that probably none of > those software is non-free. But there can be MELPA software that is > vague because maybe maintainers have not put the proper license, which > is often the case. > > The software provided by MELPA may lead users to non-free software or > may control non-free software or be made exclusively for usage of free > software. > > Example that I have found is ChatWork package, it works with ChatWork > chat software, for which I only assume it is proprietary, I have not > checked it very good, it seemed to be so from verification of their > website. > > Corporations can very easily sponsor somebody to provide software for > Emacs to provide features that control or interact with their > proprietary software. > > It is also method of advertising. > > Then there is software to access various websites, let us say software > that provides quotes from specific website, it could be funny quote or > smart one, but maybe the purpose is simply advertising. Finally, > fetching something from other website I consider dangerous, package > itself need not be, but other packages following, could be easily > dangerous. > > More danger from MELPA comes from the fact that MELPA is not verifying > the packages, not that I know, I have read they said they are not > doing it. > > There is plethora of insecurities on MELPA. It is far from harmless. > > So far I understood, the packages arriving to GNU ELPA are assigned > with copyright to FSF, I am also assuming as user that such packages > are somehow reviewed by developers, not just one developer, and that > they are placed into ELPA as duplicate or copy from the upstream. I > may be wrong in all that assumption, but I think that GNU ELPA > packages are verified for freedom and mostly for security and safety > of users. We are speaking of loading true programming language code > and executing such on users' computers. > > It is not equivalent to Javascript, it is far more dangerous than > Javascript which tend to execute in safe environment, which tends to > execute in such way as not to abuse users' computers and data, yet > people have found ways to crack browsers and to crack and enter into > users' file systems, there are many ways how Javascript can be > malicious. > > The more packages there are that are not verified, but simple offered > for download through MELPA, the more and more insecurities are coming > in future. > > MELPA is allowing Google to track users by using Google Analytics on > their website, that speaks already about the webmaster's lack of > skills in managing the website. There are so many free software > programs for web statistics, and there is no need for third party > tracking. > > Now, the real insecurity comes from program that are sourced from > Github. If there are 4000+ packages, there can be 1000+ authors, maybe > even 2000+ authors. > > Each of those authors represent insecurity to computing, as their > packages are not verified each time they are pulled, they are blindly > trusted. > > The blind trust to MELPA packages is what is making it highly insecure > for computer users. > > It requires just 1 author for their accounts to be cracked and for > malicious code to be inserted, thousands of computer users can be > affected that way. > > Finally, author can go nut himself, and can become psychotic, there > are programmers who became so, they can introduce malicious code > themselves, or can do it by claiming it was somebody else. > > Packages that I think do not belong in free software repository for > reason they are using proprietary information or wrapping proprietary > software, or use known spying networks: > > babel - that uses non-free Babelfish translations (if I am mistaken > tell me) > > chatwork - that uses non-free ChatWork proprietary chat software > > bing-dict - that uses Microsoft Bing proprietary dictionary > > calfw-gcal - to edit Google calendar > > Obviously I came to letter C, I could browse more and find more > troublesome packages. > > Yet major insecurity is number of packages where they are not verified > by human to be safe and blind offering and blind acceptance by users > thinking they are safe. > > Jean > > > >