From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS Date: Mon, 10 Oct 2022 10:14:44 +1100 Message-ID: <86o7uk7f2e.fsf@gmail.com> References: <164484721900.31751.1453162457552427931@vcs2.savannah.gnu.org> <20220214140020.04438C00891@vcs2.savannah.gnu.org> <87bkqmqpvb.fsf@posteo.net> <871qris3xb.fsf@gnus.org> <877d1aqoc1.fsf@posteo.net> <87edvhqdrb.fsf@gnus.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="14589"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.9.0; emacs 29.0.50 Cc: Philip Kaludercic , Stefan Monnier , emacs-devel@gnu.org To: Lars Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Oct 10 01:29:12 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ohfjM-0003aV-Jk for ged-emacs-devel@m.gmane-mx.org; Mon, 10 Oct 2022 01:29:12 +0200 Original-Received: from localhost ([::1]:60366 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ohfjL-0000M2-4e for ged-emacs-devel@m.gmane-mx.org; Sun, 09 Oct 2022 19:29:11 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57794) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohfiD-00085o-8x for emacs-devel@gnu.org; Sun, 09 Oct 2022 19:28:01 -0400 Original-Received: from mail-pf1-x434.google.com ([2607:f8b0:4864:20::434]:38852) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ohfiB-0000JY-Gy for emacs-devel@gnu.org; Sun, 09 Oct 2022 19:28:00 -0400 Original-Received: by mail-pf1-x434.google.com with SMTP id p14so5072205pfq.5 for ; Sun, 09 Oct 2022 16:27:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc:subject:date:message-id:reply-to; bh=cgS3c8oDVRKyoEo1cK9cJj0+h/tmpPBrRPQfVHxARvI=; b=DXUDJq0cFn8Bz3NQO0GKdCmws/Aumx97ZpbWdy8k0J8fMjXI7r3rsCmBbOwYhTJvjr 2C+4Y44RVuRAroa0rzes8En/FnjOSR3GcWuHKbHWLfKtLOV7cDM8QMneAmWWnS0tQcNj zBHwHGNylGU3/kEodAN7e0uEGVMlRclF1sqgfERVxamKyJn9WsHaJlSBp4m7RNHd+nSo 83rtJOMXzoxSsPAwPghXrOEXrHIL8Ja7FKhBLGH5ArrbtVRHdDMdiMWe0HeiiGhZceEO diyAKEAsNiw3YmQRPZwwwrUxMXCQTSbM/p+mMT29SSA7FAVl4ZpCsID6gSYtowjSJInb unJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=cgS3c8oDVRKyoEo1cK9cJj0+h/tmpPBrRPQfVHxARvI=; b=6GIrFzqulZqBPUrjAhb9pcWLgEw+O2opptqZQHF+W9rPxmwrD46E9UtkWb9HKUPe8W D1MAkRwCstaW5IVPiyh9iwMSYe7G4g5+WQJ9e/kvaRZjRxqsWS+WrujtHTGCSEkdNaJ1 GfCg95S7j5sa7pBm3Ovn4cubzssWCE58LRXOCGOLIIw+koAcCyIXESIlawFguJgt/wD2 gJsjLOaJrFq8sLrIkhe8nd/d4HPcQHSyK1xBJO8bBuYYwCsZhD+davn2Pn/uDJeqEVBN GxduVaci1PUysIZ5D5H9ZFELIs7T2DRKQt8vO8hSEiPbrB/DwQHHax7B25n7/PAdptpx FrWw== X-Gm-Message-State: ACrzQf0bQ18pVtO/dhBH4U6EOI4iCBQcwr3+GEBhiYDeNir2ebAz3pHS 4lSz54moys6Kh2jH5RN/mHH44SV9MKo= X-Google-Smtp-Source: AMsMyM6ZAjTSZyRZe+KBndSIsO6kYapTMgFvvJUsK6lU9UjqhcD48jCx2qWofF8GWTaYUnFjq9mFXQ== X-Received: by 2002:a63:1308:0:b0:440:5517:c99d with SMTP id i8-20020a631308000000b004405517c99dmr14307153pgl.550.1665358077531; Sun, 09 Oct 2022 16:27:57 -0700 (PDT) Original-Received: from dingbat (124-169-22-230.dyn.iinet.net.au. [124.169.22.230]) by smtp.gmail.com with ESMTPSA id o15-20020a170902d4cf00b00182d25a1e4bsm76883plg.259.2022.10.09.16.27.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Oct 2022 16:27:57 -0700 (PDT) In-reply-to: <87edvhqdrb.fsf@gnus.org> Received-SPF: pass client-ip=2607:f8b0:4864:20::434; envelope-from=theophilusx@gmail.com; helo=mail-pf1-x434.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:297298 Archived-At: Lars Ingebrigtsen writes: > Philip Kaludercic writes: > >> It seems to me that fetching a package from source is no more dangerous >> than fetching a tarball, seeing as the tarball is automatically >> generated from the repository. > > It doesn't matter much whether it's a tar ball or a git repo (although > there is signing of the tar balls), but whether there's any oversight at > all or not. All commits to Non/GNU ELPA end up on a mailing list, which > provides a smidgen of transparency, which is better than none. Signing of tar balls may help a bit as it will typically mean you have to both compromise the source repository and compromise the keys used for signing. It raises the bar a bit. Posting commits to a mail list might provide some transparency, but next to nothing for security. In fact, I would argue it is extremely dangerous to assume it does anything for security. Just because something is sent to a mailing list doesn't mean anyone actually looks at it or performs any assessment. I'm not sure anything Philip is proposing is making the situation significantly worse because we are not doing anything proactive with respect to security anyway. We are largely hoping 'someone else' has reviewed it and flagged any security issues. While this might occur from time to time, its ad hoc nature means it cannot be assumed to occur. We should educate users that all these methods, regardless of source, have security implications. We should actively discourage any assumption that we are similar to Apple whereby you can (supposedly) assume some level of confidence regarding packages install from their App store. The only level of confidence we can really provide wrt GNU ELPA and nonGNU ELPA is that the packages in those repositories have acceptable licenses.