From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: =?UTF-8?Q?Cl=c3=a9ment_Pit-Claudel?= Newsgroups: gmane.emacs.devel Subject: Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii Date: Sun, 29 Aug 2021 21:49:36 -0400 Message-ID: <7bc9ba82-e32a-291a-96a0-315d814d6943@gmail.com> References: <87h7f7zww5.fsf@alphapapa.net> <0d8b81d8-e923-dc17-e815-3b1082a20a12@gmail.com> <878s0jztpm.fsf@alphapapa.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="9451"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Aug 30 03:50:40 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mKWRb-0002HW-Si for ged-emacs-devel@m.gmane-mx.org; Mon, 30 Aug 2021 03:50:39 +0200 Original-Received: from localhost ([::1]:52486 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mKWRa-000405-FN for ged-emacs-devel@m.gmane-mx.org; Sun, 29 Aug 2021 21:50:38 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:38646) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mKWQf-0003Kj-BU for emacs-devel@gnu.org; Sun, 29 Aug 2021 21:49:41 -0400 Original-Received: from mail-qt1-x835.google.com ([2607:f8b0:4864:20::835]:37387) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mKWQd-0001gZ-OB for emacs-devel@gnu.org; Sun, 29 Aug 2021 21:49:41 -0400 Original-Received: by mail-qt1-x835.google.com with SMTP id l24so10502739qtj.4 for ; Sun, 29 Aug 2021 18:49:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=WgJdocHg46A9vbQgyhWD9b9WXROCSi7XGT5hhCFYq0M=; b=PpYVtUS3Ie8fk+R0PZTYOQBA3Wg3wmgNOpBhN51E31/mtEFjrX63WN0wTYT8iYw25Z +SOUcX1mjT/FgQNJyWvoYqYVj4ebI5ZurzAb5nBGSmRyyMTf2y0JF4z6trI6adMouNMR JTh/Vb1Y3QL3BmkQ55rArL6xVi5gIhrC37ln+nlZCqdk5mIPhodmsMabwhPKEkiMmzfG 966U+Mmm87w12AoD8sMAJ47zqFeH9SyCj2ZOvLnfMXH9eScorVbB17w0CV5IUbEpAFRP vC0v6HHSEyitYHCeEecZe6I2opxbgKoIcL64YzC1xfw2bt6lQgj7+ikfQkpUR3BIkHIC HQ1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WgJdocHg46A9vbQgyhWD9b9WXROCSi7XGT5hhCFYq0M=; b=YcpDQTEWskwYG6/SQblHgG140Ztzhjh9VUZaVRLqiPrYttvEbjv7hiUNRAH3neYOWA SupKT7FXmE+e7XrF479c246iPt3SdxS1MkbhBDYlYVDyKIZykTHedqeWyCiOOM1mt9At svPr1Lk6gztFHa5Di9cqDQPnZKVqyfU6fuKp4KT09fM6+1LxrXNHtSddWCxp5HLoc84W 5HxkLHAjPMHcD37Hp5py7Bpz3nHAQpDilahgu1qLVEOH5f6zvFa+39+mzZ6jeNcKbkUv oGlN+dIMGNUkNpazSy/Tov2HCvzJaKGSqo74lmqPAdIke6oYPrKIf6TI207XXrgDUw8w ppyw== X-Gm-Message-State: AOAM5325fwf1NOq6KAJ0KbilHuT9uEkl2+548z3GDIE7XhB5BwjjIreW Dyx3acGQoar0iIGV/ftsvLrIOXll/io= X-Google-Smtp-Source: ABdhPJwuhYfyX80JAW2SQwBXPBK5UaKh3jn8YZ0P4QkNaoD24HjMftI/He7ja4UwHJulOiCKeFPL5Q== X-Received: by 2002:ac8:4716:: with SMTP id f22mr19338817qtp.250.1630288178341; Sun, 29 Aug 2021 18:49:38 -0700 (PDT) Original-Received: from [192.168.1.15] (c-24-61-240-80.hsd1.ma.comcast.net. [24.61.240.80]) by smtp.googlemail.com with ESMTPSA id a15sm7763894qtp.19.2021.08.29.18.49.37 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 29 Aug 2021 18:49:37 -0700 (PDT) In-Reply-To: <878s0jztpm.fsf@alphapapa.net> Content-Language: en-GB Received-SPF: pass client-ip=2607:f8b0:4864:20::835; envelope-from=cpitclaudel@gmail.com; helo=mail-qt1-x835.google.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.58, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:273451 Archived-At: On 8/29/21 8:01 PM, Adam Porter wrote: > I would guess that those who have commit access to ELPA are considered > trusted, and regardless of potentially using Org Export while building > packages, those committers could already add malicious code that could > end up being distributed to users until someone noticed and reverted the > changes. The scary part is not so much altering a package (or a few packages) with bad code (though that is scary), but having the ability to alter all of them (sure, you could push to all package branches, but that's more easily detected that altering one readme). > Also, AFAIU, ELPA already runs Makefiles for packages as part of the > build process, and those can run arbitrary code, which I guess could do > things like modify other packages, modify the build process or scripts, > or anything else that the user account the build process runs as could > do on the server. Good catch, and indeed given this running org doesn't make things worse. Thanks.