From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: Fwd: Should package.el support notifying on package security updates? Date: Sat, 13 Aug 2022 10:58:40 +1000 Message-ID: <86tu6h0x3d.fsf@gmail.com> References: <87r12qm4q5.fsf@gmail.com> <87y1vus4xy.fsf@rfc20.org> <86y1vul261.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="24650"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.8.8; emacs 29.0.50 Cc: emacs-devel@gnu.org To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Aug 13 03:09:54 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oMfez-00069i-Ve for ged-emacs-devel@m.gmane-mx.org; Sat, 13 Aug 2022 03:09:54 +0200 Original-Received: from localhost ([::1]:43448 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oMfez-000475-08 for ged-emacs-devel@m.gmane-mx.org; Fri, 12 Aug 2022 21:09:53 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:40126) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMfdP-0003Ke-IV for emacs-devel@gnu.org; Fri, 12 Aug 2022 21:08:15 -0400 Original-Received: from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034]:52095) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oMfdO-0002oj-5g for emacs-devel@gnu.org; Fri, 12 Aug 2022 21:08:15 -0400 Original-Received: by mail-pj1-x1034.google.com with SMTP id t22so2415290pjy.1 for ; Fri, 12 Aug 2022 18:08:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc; bh=F1zvjTYdE7ViZqfdd0n+nkZ1V9yiDllt0XwNIfpI9/k=; b=YUNmE5P6RZVVfkvwuOjS3NHQK3VrrkTXNky0h4OaEFGNnwbRMG+WMqJJJTe69xoOdW w/zGndXQ3x/rbSzCTLHpJLOGbkOsfReb0j8tRdKisXvasrikl1Gkw2u9WvgTwwKANn3y 46ACTGSvzOTig3DDTylO3kdDi83IC9nXCUCagXr6kZNN80OwE3Neo8oNmyU3BFeSTL7q zaJzFwhiSQF+Ev0mqVcWs41x/Fnug6fROtBZ01PlV8AQRXW698Dk2seFjG+Ec5991VGr SEz6bsDICj1JbQV/NKeTI0n+X79RebdCn6AVZgtsKwP9RpMqiH2UjVYhz1AmPlshhzLF bliQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc; bh=F1zvjTYdE7ViZqfdd0n+nkZ1V9yiDllt0XwNIfpI9/k=; b=Q/3iCR5kGpo0DKm30/TCsQCVEjmMfHB+dEXafBNiOJwkO3nZwodcV08vlbM8i/WLE/ 5p4qKDmLa70bzOYgOdG4LyDzBHEBKC6WxVEanU4nstaMYTJW2i0krBxJyIDZKoDXg8hU DDQG7OtbsneKmLYYQQldn75sPbBtWLmgsCMuWpv/Mr+oOBLRmVwvaO8t5uf73X093o7I YePUiARhEPWy3pKggIeG5mbIuFbHiAWVcBDf/66qsyGOcLX7z52KNrL5S7HVVCRIu4OL q26Pek09kUhybN6CUhfsC7WBmJ0o1rs5/GSJgQjgDxDO2U7LDqKUXcylrTSwDpwobB2z 64vg== X-Gm-Message-State: ACgBeo13ST2TRms6CUgpcvBI/FuA0LIjbHTbj6/0SDA2bLUXVAN2FgpQ IZEcGFn4t38Jcn1Dd7Shu3Iqw4qrRCs7Yg== X-Google-Smtp-Source: AA6agR5VfDdCCXreOqavXFA1yaRMTktRPjU4jiJyzNgBS+yQm+MM8gVv0BhRqT7NJlH64cIAe6W2HA== X-Received: by 2002:a17:903:40cb:b0:16f:196a:2bb4 with SMTP id t11-20020a17090340cb00b0016f196a2bb4mr6560905pld.104.1660352890805; Fri, 12 Aug 2022 18:08:10 -0700 (PDT) Original-Received: from dingbat (2001-44b8-31f2-bb00-842a-7361-87c7-2662.static.ipv6.internode.on.net. [2001:44b8:31f2:bb00:842a:7361:87c7:2662]) by smtp.gmail.com with ESMTPSA id f2-20020a170902e98200b0016d1d1c376fsm2342077plb.287.2022.08.12.18.08.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Aug 2022 18:08:10 -0700 (PDT) In-reply-to: Received-SPF: pass client-ip=2607:f8b0:4864:20::1034; envelope-from=theophilusx@gmail.com; helo=mail-pj1-x1034.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:293398 Archived-At: Stefan Monnier writes: > > I'm not sure it would be a big problem. But I'm not sure it would be an > improvement either. Especially because I suspect it might give the > false impression that the code of ELisp packages is somewhat > security-conscious, whereas in my experience, the vast majority of Emacs > packages isn't (they may end up secure by accident, of course). > > That is an extremely important point. Very few people even gives this a thought when installing packages - especially packages from MELPA and other external repositories. Having 'security' would imply for some that there is a formal security process for reviewing, tracking and reporting security issues. We don't have any of this and advertising some updates as security fixes could well create a false sense of security.