From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: Fwd: Should package.el support notifying on package security updates? Date: Sat, 13 Aug 2022 10:44:32 +1000 Message-ID: <86y1vt0xkf.fsf@gmail.com> References: <87r12qm4q5.fsf@gmail.com> <87y1vus4xy.fsf@rfc20.org> <86y1vul261.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="13759"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.8.8; emacs 29.0.50 Cc: emacs-devel@gnu.org To: Stefan Kangas Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Aug 13 02:58:49 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oMfUH-0003QY-60 for ged-emacs-devel@m.gmane-mx.org; Sat, 13 Aug 2022 02:58:49 +0200 Original-Received: from localhost ([::1]:38592 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oMfUF-00009y-QF for ged-emacs-devel@m.gmane-mx.org; Fri, 12 Aug 2022 20:58:47 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:38784) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMfTT-0007sy-RM for emacs-devel@gnu.org; Fri, 12 Aug 2022 20:57:59 -0400 Original-Received: from mail-pg1-x52d.google.com ([2607:f8b0:4864:20::52d]:43592) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oMfTS-0001YX-Bl for emacs-devel@gnu.org; Fri, 12 Aug 2022 20:57:59 -0400 Original-Received: by mail-pg1-x52d.google.com with SMTP id h132so2075953pgc.10 for ; Fri, 12 Aug 2022 17:57:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc; bh=3FQtPGi3TXZn3UjHA7gKXpyy07LV96JhhTEJ/usMn+A=; b=pofGFhDJ/+SVFx4drCjkS7MBdm/L1zrw5UuRzRl1URVPIEa5GwpkidAW/Du6Ohu8ar uTkKGi2C8B98+LH32+/KiOuhw4ib8CYl+cKMQdU1zRgZC3TvtK/X+w2Jl7CbCxnDUeyt Z/azB2J+RsCCxRcBYBncvD9yMIhl5EapY/5Xl2ohfpGTAeGl+9m4ofves94tCUngXRx4 V4TLonZ+HL0gt/YO/gdLJl5E8AR4pe4sUNuEy7ljxeeX0WAomJOHwkIgivV1jMq+K053 QhLtltH7FdiL9uXRtYkmDlWo4G4NB3lhUKF+DvH2l1ZZ6RUAPF6mWeOx0gX1J0G0tcqT bygA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc; bh=3FQtPGi3TXZn3UjHA7gKXpyy07LV96JhhTEJ/usMn+A=; b=fUXR3ag2tyO4l6Il9ZFPPMv5Z+LSHz7Q3+d/dPFlppYQf5EYwsPhjAxEVr4cd+nABh 2o13yKgaSZw6QM7YF8WBO7dmqgOPXZkx7XkwZzfDyU2llqrAcFMKSNA/VOEE05nWbY4G q3sXyhfy5dt11H0VUofhza1zHDpwANf6CgNiTqc7h5WzglkSvVW2Eyq9TJiUWDF7X6Ys aX6oRTWurfEacmCNcYsI/9tbBYeddHkIOhUJWjEr4LcpO2YiwatbOSaUMOVkvFQYj6Gu f/PGOan0avi/XIsTZNdLnTH2yiXmRTSo1OtOZpJS9KR6pGkWxRMOwkl7RygWE//JjQ4e JqWg== X-Gm-Message-State: ACgBeo2FaS6bPVTO0apWKT6rvqID+OvhycM5Ew7A/5eJHvLp98NAv2GI FdJQduARVn0ReB1LXIrtWBYzBCKgZ4zWsg== X-Google-Smtp-Source: AA6agR66YslvcxHVZHt0wOnV9hYl9g0vCyb3Aeidh1NyCbLSN+j7qahqvR+MRAabpB6r05PkFWIMCA== X-Received: by 2002:a05:6a00:32cb:b0:52e:2756:3558 with SMTP id cl11-20020a056a0032cb00b0052e27563558mr6050238pfb.59.1660352276160; Fri, 12 Aug 2022 17:57:56 -0700 (PDT) Original-Received: from dingbat (2001-44b8-31f2-bb00-842a-7361-87c7-2662.static.ipv6.internode.on.net. [2001:44b8:31f2:bb00:842a:7361:87c7:2662]) by smtp.gmail.com with ESMTPSA id z13-20020a17090a1fcd00b001f339f9cc57sm425408pjz.54.2022.08.12.17.57.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Aug 2022 17:57:55 -0700 (PDT) In-reply-to: Received-SPF: pass client-ip=2607:f8b0:4864:20::52d; envelope-from=theophilusx@gmail.com; helo=mail-pg1-x52d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:293397 Archived-At: Stefan Kangas writes: > Tim Cross writes: > >> - There are actually very few security issues reported for Elisp >> packages. This doesn't mean there aren't any, only that they are >> discovered and reported very rarely. > > If they are rare, that doesn't make them less important. > and at no point did I imply they were. >> - It would require package maintainers to somehow flag that an update is >> a security update > > I find the maintainers of important packages to be highly conscientious > people, and that goes in particular the GNU ELPA maintainers. So I > don't share your concerns. > It has absolutely nothing to do with whether the maintainers are conscientious or not. My comments are in no way a criticism of maintainers. In fact, my comments are in support of maintainers in that they are arguing against adding additional complexity for something which happens rarely and which would be difficult to achieve in a consistent manner because of the distributed maintenance model and how difficult it is to get consistent work flows when you have a branch that is only used extremely rarely. >> I suspect if we added the functionality to flag an update as a security >> update, it is something which happens so rarely, nobody will use it and >> when they do, nobody will recognise what it really meant. > > I think people will know the meaning, because it will presumably say > "security update" somewhere. I think you missed my point, but no matter. If you feel it is worthwhile, go ahead an implement it and get all the maintainers to use it. If I'm wrong, that is great as it would not be a bad thing to have. I just think the value it will add is far less than the effort it will take to build and maintain and in 12 months, no maintainers will use it because it will be such a rare work flow, they will forget.