From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Matthias Dahl Newsgroups: gmane.emacs.devel Subject: Re: security of the emacs package system, elpa, melpa and marmalade Date: Mon, 30 Sep 2013 17:12:56 +0200 Message-ID: <524994F8.8070506@binary-island.eu> References: <523FEE1B.9020408@binary-island.eu> <52429ABD.6090603@binary-island.eu> <52432BE9.1070402@binary-island.eu> <5243F836.9020301@binary-island.eu> <5245938E.6040906@binary-island.eu> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1380553994 8497 80.91.229.3 (30 Sep 2013 15:13:14 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 30 Sep 2013 15:13:14 +0000 (UTC) Cc: emacs-devel@gnu.org To: rms@gnu.org, Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 30 17:13:17 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VQf9s-00066U-J7 for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 17:13:12 +0200 Original-Received: from localhost ([::1]:49166 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQf9s-00076F-4H for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 11:13:12 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48355) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQf9k-00075q-94 for emacs-devel@gnu.org; Mon, 30 Sep 2013 11:13:10 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VQf9e-0006x4-51 for emacs-devel@gnu.org; Mon, 30 Sep 2013 11:13:04 -0400 Original-Received: from hemera.binary-island.eu ([97.107.138.233]:59266) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQf9e-0006wz-1a; Mon, 30 Sep 2013 11:12:58 -0400 Original-Received: from [10.0.0.20] (95-88-238-193-dynip.superkabel.de [95.88.238.193]) by hemera.binary-island.eu (Postfix) with ESMTPSA id E28263C083; Mon, 30 Sep 2013 11:15:10 -0400 (EDT) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 In-Reply-To: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 97.107.138.233 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163730 Archived-At: Hello Richard... > I think that we should warn users that it is risky to use packages > from archives that don't supervise the code that gets put in them, or > that don't use signing. +1 But imho, this would also include ELPA because there is not really a control process in place. A mail gets sent that some person from the community needs to thoroughly read/check. There is no guarantee that someone will actually do this. So long, Matthias -- Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu services: custom software [desktop, mobile, web], server administration