From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Matthias Dahl <ml_emacs-lists@binary-island.eu>
Newsgroups: gmane.emacs.devel
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Mon, 30 Sep 2013 17:25:06 +0200
Message-ID: <524997D2.9080602@binary-island.eu>
References: <523FEE1B.9020408@binary-island.eu>	<jwvy56n7hsj.fsf-monnier+emacs@gnu.org>	<52429ABD.6090603@binary-island.eu>	<jwvob7gx43e.fsf-monnier+emacs@gnu.org>	<52432BE9.1070402@binary-island.eu>	<87d2nw1j3b.fsf@uwakimon.sk.tsukuba.ac.jp>	<5243F828.6060901@binary-island.eu>	<87a9iy2106.fsf@uwakimon.sk.tsukuba.ac.jp>	<524593A0.7020502@binary-island.eu>
	<8738oq189y.fsf@uwakimon.sk.tsukuba.ac.jp>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1380554723 18568 80.91.229.3 (30 Sep 2013 15:25:23 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 30 Sep 2013 15:25:23 +0000 (UTC)
Cc: Stefan Monnier <monnier@IRO.UMontreal.CA>, emacs-devel@gnu.org
To: "Stephen J. Turnbull" <stephen@xemacs.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 30 17:25:27 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VQfLh-0007Pp-9w
	for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 17:25:25 +0200
Original-Received: from localhost ([::1]:49256 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VQfLg-0001P1-ST
	for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 11:25:24 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50988)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ml_emacs-lists@binary-island.eu>) id 1VQfLY-0001OH-55
	for emacs-devel@gnu.org; Mon, 30 Sep 2013 11:25:22 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ml_emacs-lists@binary-island.eu>) id 1VQfLR-0002Ul-Vj
	for emacs-devel@gnu.org; Mon, 30 Sep 2013 11:25:16 -0400
Original-Received: from hemera.binary-island.eu ([97.107.138.233]:59308)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ml_emacs-lists@binary-island.eu>) id 1VQfLR-0002UY-Rw
	for emacs-devel@gnu.org; Mon, 30 Sep 2013 11:25:09 -0400
Original-Received: from [10.0.0.20] (95-88-238-193-dynip.superkabel.de [95.88.238.193])
	by hemera.binary-island.eu (Postfix) with ESMTPSA id AAC9C3C083;
	Mon, 30 Sep 2013 11:27:21 -0400 (EDT)
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:24.0) Gecko/20100101 Thunderbird/24.0
In-Reply-To: <8738oq189y.fsf@uwakimon.sk.tsukuba.ac.jp>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 97.107.138.233
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:163731
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/163731>

Hello Stephhen...

> Sure.  *Preventing* that is going require doing something that is
> probably impossible for any program that isn't an operating system in
> control of the machine.

I am not saying a sandbox is the best solution. But imho, something
should be done... or would be nice to have. Even if it is community
based reputation system.

>  > You wouldn't work as root on your system, would you?
> 
> I do every day, to run emerge --update. ;-)

Ah, a fellow Gentoo user. ;) Running system updates as root is one
thing, working as root as daily routine where those privileges are just
not required, is careless (for many reasons), to say the least. And I
guess that is not would you do. :)

> The interesting question is, "why should a plugin be denied the rights
> it needs when those go beyond reading the buffer it was invoked from?"

Who said it should get those privileges denied? If it was installed and
declared its required permissions, it will get those. Or am I missing
something obvious from your statement/question here?

> Sure.  But the chances are pretty good that I would.  Anyway, the
> definition of "absolutely need" is "I'm willing to bet that I or some
> other user would catch it even if the author doesn't."

So you check the source for the plugins you use with each new update? Or
who else would you notice malicious code?

And if a plugin is driver by a single author, chances are that something
can go unnoticed for a while if the target group of said plugin is not a
very technical one... and as I learned in this thread, there are many
more Emacs users with a non-technical background.

> There's another answer based on the details of your example.  I avoid
> doing development on exposed hosts.  In one sense that's unfair, but
> in another it goes to the heart of the matter.

Which shows, you care about security too and take preventive measures.
Unfortunately, not everybody can work that way for various reasons, though.

So long,
Matthias

-- 
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration