From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS Date: Sun, 09 Oct 2022 06:02:12 +1100 Message-ID: <86y1tqb0bs.fsf@gmail.com> References: <164484721900.31751.1453162457552427931@vcs2.savannah.gnu.org> <20220214140020.04438C00891@vcs2.savannah.gnu.org> <87bkqmqpvb.fsf@posteo.net> <871qris3xb.fsf@gnus.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26503"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.9.0; emacs 29.0.50 Cc: Philip Kaludercic , Stefan Monnier , emacs-devel@gnu.org To: Lars Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 08 21:09:29 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ohFCS-0006ij-VE for ged-emacs-devel@m.gmane-mx.org; Sat, 08 Oct 2022 21:09:28 +0200 Original-Received: from localhost ([::1]:52184 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ohFCS-00020Y-0H for ged-emacs-devel@m.gmane-mx.org; Sat, 08 Oct 2022 15:09:28 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:41140) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohFBJ-0001Gy-Lt for emacs-devel@gnu.org; Sat, 08 Oct 2022 15:08:17 -0400 Original-Received: from mail-pj1-x102e.google.com ([2607:f8b0:4864:20::102e]:35536) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ohFBH-0007DC-04 for emacs-devel@gnu.org; Sat, 08 Oct 2022 15:08:17 -0400 Original-Received: by mail-pj1-x102e.google.com with SMTP id i7-20020a17090a65c700b0020ad9666a86so9944439pjs.0 for ; Sat, 08 Oct 2022 12:08:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc:subject:date:message-id:reply-to; bh=Wfb5JF68K19fOj0ByA9Lfpmm4YNtrR7Rkao/jeQ/9Cs=; b=Zi9gcjYIwiUDfpJzgAwPC01h9c3SPHhIeyNqbJlFT+9W94PGh3M/Cp+D/zIlxZXHVA u4D9PdhZPpZmuX1uowg/vS0W2OuMfGhkmPfci/js7pNipuJwjPTOFzk4grCNwOq0glzX d2Ph1oZDtqmt5YRvpWzTHn6cm8Pld/6NtiA1neIywfhcrMAIZyLdmNSIxXpF0HL8eEIT fMSvEc2kxotQ9igiM1TnkGLr8KbXFbSQPVS3FWaSp1j0sGTRGyx3k05reM6nrQ5JDP8t zZjjRsnrAQno5EROXCbUx1y7HTVHgtyAFFYAaox6UF6iPKjFfXNoysQZ/JIukPu0nImC o1kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Wfb5JF68K19fOj0ByA9Lfpmm4YNtrR7Rkao/jeQ/9Cs=; b=Gf5JaQtzpdufbsD7KB0bbnbuKlXaZRx0eBqScVZ1PaGDeiHNA3gVLo0zesosALPTVb O5HCPiHcQy0G0X21aZBynoBHSLK0zbyvCzD8iDjtcR526aQxK4YcdAUKCwNLHzCLddrn dNjnnNon9L7TxJbnG9OfXfMQb3UtvuUh1EhS0d1QnZllbKmOuBwZ7nZcinDfG93mQpbs KemAlFTGDcTVfHYNza4QBK8BIMMA40ozjiiGM0kt+LfbolK7JKjUzU6AxcOHghs/6dqJ q+Lx4cY4fvRs2S9UdWUDLupNfGQSTfOY1fuNktkIsTZnlORtky+2GfLLwEdAlJ+ewoyZ ojVA== X-Gm-Message-State: ACrzQf2aQKXX0Kk+kz4sJ07sDfEllokQRQ5JaPM/xWllFgSNcSlXRQUA xgwKVRQVxMfpbAm01/rqJzuOmmMjpcc= X-Google-Smtp-Source: AMsMyM5obKya2cvvH5V7Nb1237vzGhrsDuIkkxnPGYBJ4roeuktDbWPOnzYhJmPZsLDJIYr+LCnXDA== X-Received: by 2002:a17:902:d2d0:b0:178:329d:a5ed with SMTP id n16-20020a170902d2d000b00178329da5edmr11267463plc.142.1665256093099; Sat, 08 Oct 2022 12:08:13 -0700 (PDT) Original-Received: from dingbat (124-169-22-230.dyn.iinet.net.au. [124.169.22.230]) by smtp.gmail.com with ESMTPSA id bo10-20020a17090b090a00b0020d2170b3fcsm802726pjb.9.2022.10.08.12.08.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 08 Oct 2022 12:08:12 -0700 (PDT) In-reply-to: <871qris3xb.fsf@gnus.org> Received-SPF: pass client-ip=2607:f8b0:4864:20::102e; envelope-from=theophilusx@gmail.com; helo=mail-pj1-x102e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:297221 Archived-At: Lars Ingebrigtsen writes: > Philip Kaludercic writes: > >> - The ability to install a package directly from source using >> `package-vc-fetch' (aliased to `package-checkout'). This >> functionality is ideally VC generic. >> >> - The ability to update a package using `package-upgrade'[0] >> >> - Package metadata can either be inferred from the package URL (see >> `package-vc-heusitic-alist') or via explicit hints from an ELPA >> server. I plan to add the necessary features to GNU and NonGNU ELPA >> in time so that the heuristics can be avoided. >> >> - The ability to (i) contact, (ii) send bug reports and (iii) patches >> (using the new `vc-patch-prepare') to package maintainers. > > Sounds like great functionality, but I wonder whether the security > implications have been discussed? Today, we use GNU ELPA as a filter of > sorts and people rely on code there not being compromised. > > I assume "hints from an ELPA server" is basically a list of links to git > repositories? If that's the case, then we may well end up with pointing > users towards repos that have been compromised. > > If we don't have such a list, then adding the basic functionality sounds > useful anyway -- that is, allowing users to say `M-x > package-install-from-repo' or something and then they type in the URL of > that repo -- that's fine, and leaves the security implications to the > user (where they already are today for people that install from external > repos). > > But if we list these repos in `M-x list-packages', that's a very > different issue. I think it is very dangerous to suggest there is ANY security here, even with GNU ELPA packages. - There is no formal security review of packages - There is no review before packages are updated. If a repository is compromised and that compromise has not been detected, an update can still occur and introduced compromised code into GNU ELPA. Far better to just educate users that ANY package they install could contain malicious code.