From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Matthias Dahl Newsgroups: gmane.emacs.devel Subject: Re: security of the emacs package system, elpa, melpa and marmalade Date: Tue, 01 Oct 2013 16:03:56 +0200 Message-ID: <524AD64C.1080709@binary-island.eu> References: <523FEE1B.9020408@binary-island.eu> <87y56gymvz.fsf@flea.lifelogs.com> <52499473.50707@binary-island.eu> <87vc1ixm7h.fsf@flea.lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1380637471 8315 80.91.229.3 (1 Oct 2013 14:24:31 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 1 Oct 2013 14:24:31 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Oct 01 16:24:35 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VR0sN-0005R9-4q for ged-emacs-devel@m.gmane.org; Tue, 01 Oct 2013 16:24:35 +0200 Original-Received: from localhost ([::1]:59201 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VR0sM-0000Q0-N0 for ged-emacs-devel@m.gmane.org; Tue, 01 Oct 2013 10:24:34 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33837) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VR0YW-0000mP-4y for emacs-devel@gnu.org; Tue, 01 Oct 2013 10:04:10 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VR0YQ-00063Z-4G for emacs-devel@gnu.org; Tue, 01 Oct 2013 10:04:04 -0400 Original-Received: from hemera.binary-island.eu ([97.107.138.233]:33743) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VR0YQ-00063T-0v for emacs-devel@gnu.org; Tue, 01 Oct 2013 10:03:58 -0400 Original-Received: from [10.0.0.20] (95-88-238-193-dynip.superkabel.de [95.88.238.193]) by hemera.binary-island.eu (Postfix) with ESMTPSA id 209503C083 for ; Tue, 1 Oct 2013 10:06:11 -0400 (EDT) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 In-Reply-To: <87vc1ixm7h.fsf@flea.lifelogs.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 97.107.138.233 X-Mailman-Approved-At: Tue, 01 Oct 2013 10:24:31 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163768 Archived-At: Hello @all... First of all, thanks to everyone for weighing in their respective opinions and investing their time-- on- and off list. A sandbox as initially discussed, is unanimously the wrong path to take for various reasons that were brought up in detail, so I stand corrected and also agree with the admittedly convincing arguments. But some interesting points came up in the course of all of this: There are people reviewing packages even it is just for their own sake and due to their own security needs. Those people check code, the history of the maintainers and keep an watchful eye on things. But they usually do so for their own. Maybe this is just wishful thinking but what if we could channel that effort into a single and package repository independent project? Please let me explain: The project would mostly build on the web of trust principle. Basically people can review and rate packages. And in order to do so, you need a certain level of trust which you gain through ratings or pledges from already trusted reviewers. Initially those could be the Emacs and respective package maintainers and so forth. The interesting part though: This service should most definitely work across all package repositories. That way, no matter if you download from ELPA or MELPA or Marmalade or whatever the future brings, the service is queried. The crux would be in defining an universal way to detect a package and its version. This could be through hashes across all .el files for example, which all repos obviously deliver and have in common. package.el could be extended to properly display all available metrics on the detail page of a package to keep the load down on the service. It would display the metrics for the current version as well as the overall metrics (which would be useful if the current version hadn't been rated yet). Earlier in this thread, I mentioned I'd like to see better tools for users, so what about this: A user can comfortably review a package in Emacs when it is downloaded and before it is loaded (even a batch of packages). The same goes for updates: He can see diffs between the new version and one he had installed. This could easily be combined with a review or rating to the service mentioned previously. Naturally, all of this optionally without anyone being forced to do so. Last but not least: Through an API key, all repos could report to the service download metrics which can give a _very_ rough clue about how popular a package might be. Thus, we would finally have accumulated metrics for this and other things across repos. This is just (again) thinking out loud. But I think this "solution" has some very promising potential because it is non-invasive to how Emacs currently works (= no sandbox effort), does not give a false sense of security and overall encourages the community to actually review code. And by all of this, it actually does imho increase security. And if those people who already review code, continue to do so but also report their findings back to the service and maybe rate other people they know and trust, this could actually work rather well. Ideally, the service could be extended in the future to make it a place where code review for newcomers (new packages) could happen to improve their work... just like it is done on the list right now. I'm a bit afraid to ask but what do you guys and gals think? :) So long, Matthias -- Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu services: custom software [desktop, mobile, web], server administration