From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Matthias Dahl <ml_emacs-lists@binary-island.eu>
Newsgroups: gmane.emacs.devel
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Fri, 27 Sep 2013 16:18:03 +0200
Message-ID: <5245939B.9080305@binary-island.eu>
References: <523FEE1B.9020408@binary-island.eu>	<jwvy56n7hsj.fsf-monnier+emacs@gnu.org>	<52429ABD.6090603@binary-island.eu>	<jwvob7gx43e.fsf-monnier+emacs@gnu.org>	<52432BE9.1070402@binary-island.eu>	<87d2nw1j3b.fsf@uwakimon.sk.tsukuba.ac.jp>
	<E1VPENg-00088J-Mw@fencepost.gnu.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1380291511 620 80.91.229.3 (27 Sep 2013 14:18:31 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 27 Sep 2013 14:18:31 +0000 (UTC)
Cc: monnier@IRO.UMontreal.CA, emacs-devel@gnu.org
To: rms@gnu.org, "Stephen J. Turnbull" <stephen@xemacs.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Sep 27 16:18:33 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VPYsK-0001ZM-Q5
	for ged-emacs-devel@m.gmane.org; Fri, 27 Sep 2013 16:18:32 +0200
Original-Received: from localhost ([::1]:36847 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VPYsK-0002LV-9M
	for ged-emacs-devel@m.gmane.org; Fri, 27 Sep 2013 10:18:32 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:34420)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ml_emacs-lists@binary-island.eu>) id 1VPYry-0001i6-8T
	for emacs-devel@gnu.org; Fri, 27 Sep 2013 10:18:16 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ml_emacs-lists@binary-island.eu>) id 1VPYrs-0006aO-Rt
	for emacs-devel@gnu.org; Fri, 27 Sep 2013 10:18:10 -0400
Original-Received: from hemera.binary-island.eu ([97.107.138.233]:51542)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ml_emacs-lists@binary-island.eu>)
	id 1VPYrs-0006aK-P1; Fri, 27 Sep 2013 10:18:04 -0400
Original-Received: from [10.0.0.20] (95-88-238-193-dynip.superkabel.de [95.88.238.193])
	by hemera.binary-island.eu (Postfix) with ESMTPSA id 313753C083;
	Fri, 27 Sep 2013 10:20:13 -0400 (EDT)
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:24.0) Gecko/20100101 Thunderbird/24.0
In-Reply-To: <E1VPENg-00088J-Mw@fencepost.gnu.org>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 97.107.138.233
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:163679
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/163679>

Hello Richard...

On 26/09/13 18:25, Richard Stallman wrote:

> * Surreptitious substitution of the wrong code
>   instead of what you think you are downloading.

In all honesty, I strongly believe that packages that contain malicious
code would fall under this category.

I think the world in Emacs has changed: It is now even easier to get
packages simply through the package system. Projects advertise that they
should be installed through (M)ELPA or Marmelade. Yet nowhere is any
mention about the security aspects of it.

- Neither repository checks the code for quality and security. And if
  a plugin should get withdrawn from a repository because it really was
  infected, there is no way to inform a user about it except through the
  bad press that followed.

  As a counter example: Plugins distributed through addons.mozilla.org
  are checked for security - initial versions as well as updates.

- An Emacs plugin can do whatever it chooses to do with the full
  privileges of the current user. But why give a plugin all such power
  in the first place? Informing the user beforehand what privileges a
  plugin required and thus tightening the belt on a plugin, would make
  things more transparent and more secure.

I would also _never_ install anything from MELPA if the source of it was
from the wiki which everyone can edit freely, afaik.

Sorry for the wall of text. :(

So long,
Matthias

-- 
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration