From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: Fwd: Should package.el support notifying on package security updates? Date: Thu, 25 Aug 2022 14:33:02 +1000 Message-ID: <86y1vc3onq.fsf@gmail.com> References: <87r12qm4q5.fsf@gmail.com> <87y1vus4xy.fsf@rfc20.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="30083"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.8.9; emacs 29.0.50 Cc: Gulshan Singh , matt@rfc20.org, emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Aug 25 06:59:29 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oR4xk-0007i3-VL for ged-emacs-devel@m.gmane-mx.org; Thu, 25 Aug 2022 06:59:29 +0200 Original-Received: from localhost ([::1]:46134 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oR4xj-0007bM-T1 for ged-emacs-devel@m.gmane-mx.org; Thu, 25 Aug 2022 00:59:27 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:52460) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oR4wl-0006v4-20 for emacs-devel@gnu.org; Thu, 25 Aug 2022 00:58:27 -0400 Original-Received: from mail-pf1-x431.google.com ([2607:f8b0:4864:20::431]:40935) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oR4wj-0002oL-8N; Thu, 25 Aug 2022 00:58:26 -0400 Original-Received: by mail-pf1-x431.google.com with SMTP id y141so18573650pfb.7; Wed, 24 Aug 2022 21:58:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc; bh=D+evYmPDzrpnxxr38zSq/zAKSsiNB+szj1R2bZEEq1U=; b=clBIYFKZ1dx5wmJ0cmOh0V6ajipyGhH9WIiNHM2HBLihVIfEoC9CoAfEBvtAHst8uo 7PCm21aZDeoKTWfuZS9WN71XWJhwl3dJ/DelDmoC480894DtkXHcQ6TzFnFWH85nCWhp 51junzhnkcVOGw3k2/RfyQV6srvrcVHnS3vsLLmuh+XY+jopJYbzeaNIZ6bPboIklBsr EGEr/cKLOtf8kiyTD443ZCnTZ1BRZAHh1Cm6nMJN6UHOIPYVpDL+TXMVrLpnkVvmEY2X YpUXrIMpm81mq9KVEFdYBkNCLVg7R4RmifoY3aDHvt20oj5MkozeEgJHSOC7mtIyBPRH OruQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc; bh=D+evYmPDzrpnxxr38zSq/zAKSsiNB+szj1R2bZEEq1U=; b=o5ZpizOTmbnXyYgUQ8e8p5ULv5htnbWT7En4FZJwRNltJl2sGevzQRQ9yswZMVr9QK wW4tOU/3EYFyEwPML+OdvoHFdvRd+rdYWw5pz9yBQNtGiYNgazbS8Tjd+M9Ok0BNFNav BdhYbbdLQNKzW6XDDOiWJlJLEd45DLjZHmTkxE83PI+NAacAL8Hs6Fh+Mt6mae/lKYvh +WSuC2Hj0vWBeErg/WmclM9kszoCHiDtQMwIuBwdorMMERdpvvCBQWiG1+6LKiPNZ0NG 8/5zzXdbYN7SXPY6Mm8HtEBO7mSzPSW3bd0XFY8igNjMYJ5Zbv/z72+q+jxGEyYmPn/e K1aQ== X-Gm-Message-State: ACgBeo3Cawmp/GMpc32D3QwEF/UUQhzYv/szJkQCOhB/n45SxvA+Ivsv JpVU113iBmiQyqXvBsf7TtjOOcdGoSIbtA== X-Google-Smtp-Source: AA6agR4M8fq/A35269avl7mCAV/i9voqpbyPNr0TtNA3w8SfE4qLr4MWbby1z1e83WcKgYQU+AE1ow== X-Received: by 2002:a05:6a00:1907:b0:534:f2ef:e8fe with SMTP id y7-20020a056a00190700b00534f2efe8femr2423904pfi.65.1661403501720; Wed, 24 Aug 2022 21:58:21 -0700 (PDT) Original-Received: from dingbat (2001-44b8-31f2-bb00-842a-7361-87c7-2662.static.ipv6.internode.on.net. [2001:44b8:31f2:bb00:842a:7361:87c7:2662]) by smtp.gmail.com with ESMTPSA id w189-20020a6262c6000000b005363bc65bafsm10538360pfb.57.2022.08.24.21.58.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Aug 2022 21:58:21 -0700 (PDT) In-reply-to: Received-SPF: pass client-ip=2607:f8b0:4864:20::431; envelope-from=theophilusx@gmail.com; helo=mail-pf1-x431.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:294065 Archived-At: Richard Stallman writes: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > That makes sense. But I only brought up the MELPA example because I > > recently encountered a security bug in a MELPA package. There's no reason > > ELPA packages can't have similar security bugs (I just don't have an > > example of this at the moment), and I figured it might be a good idea to > > have some support for making it easier for users to quickly get security > > updates for packages, regardless of what repository they're using. > > We can do that for the repositories that we support, whose packages we > can fix or whose maintainers have some relationship with us. We have > no relationship with MELPA -- if you use that, you're on your own. > > We do copy some packages from MELPA into NonGNU ELPA. It takes a > little discussion, making sure the package does and will satisfy some > basic criteria. But if the package is popular, we're glad to do that. > You can ask us to move the packages you use, if they are popular. > > Do we support the NonGNU ELPA packages well enough now > for security updates? No and nor are the main elpa packages supported sufficiently enough to implement a concept of security updates. Once yhou distinguish updates such that you now include security updates (in a similar manner to GNU Linux distributions like Debian, Fedora etc), you create the expectation that - there is some formal review and management of security issues. There isn't - Packages are being reviewed and monitored for security issues. They are not. - Updates not flagged as security updates do not have a security implication. This may not be true. Essentially, all this will do is create a false sense of security. Users will believe that provided they have applied all packages marked as security updates that their system has no packages with known security issues. As we don't have any formal tracking or management of security issues and as we don't do any systematic or formal review of packages in either GNU ELPA or non-GNU ELPA, we cannot provide and we should not give the impression of providing any level of security assurance. In fact, we should likely go completely the other direction and educate users that when they add packages, especially non-GNU packages, it is completely at their own risk. The main reason there hasn't been a major security issue with Emacs and the package system is down to good luck, not due to good security policy. If Emacs was more popular and had a larger user base, making it a richer target for those interested in compromising systems, we would see similar problems to those experienced by NPM, Google and Apple stores etc. All that is really protecting us now is that the rewards for doing such are lower than the effort required to pull it off and we have a few people who do informal scanning/reviewing of code (which is great, but provides little formal assurance and is unlikely to pick up cleverly crafted exploits which are designed to defeat such informal scans). What we could do which may provide some benefit to users is implement a policy or practice which encourages package maintainers to label security related changes in change logs or readme files in a specific manner/format which makes them easy to spot. It is likely those who are interested in security issues will check these files before applying updates anyway. Those who just blindly apply updates are unlikely to really be paying sufficient attention to security risks to benefit anyway.