From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS Date: Sat, 08 Oct 2022 17:58:24 +0200 Message-ID: <871qris3xb.fsf@gnus.org> References: <164484721900.31751.1453162457552427931@vcs2.savannah.gnu.org> <20220214140020.04438C00891@vcs2.savannah.gnu.org> <87bkqmqpvb.fsf@posteo.net> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="20432"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Stefan Monnier , emacs-devel@gnu.org To: Philip Kaludercic Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 08 17:59:42 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ohCEn-00057P-Jk for ged-emacs-devel@m.gmane-mx.org; Sat, 08 Oct 2022 17:59:41 +0200 Original-Received: from localhost ([::1]:44418 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ohCEm-00077y-7I for ged-emacs-devel@m.gmane-mx.org; Sat, 08 Oct 2022 11:59:40 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42864) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohCDk-0006RS-2B for emacs-devel@gnu.org; Sat, 08 Oct 2022 11:58:36 -0400 Original-Received: from quimby.gnus.org ([2a01:4f9:2b:f0f::2]:53560) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohCDi-0004YL-Ca for emacs-devel@gnu.org; Sat, 08 Oct 2022 11:58:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:Date:References: In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=D8dMc4UAnQ3iNX53WbpOCuzqELN2/e3WJjFIG7YJbv4=; b=X1vuTtng1tx3N8kl1Q8hbkpdEc zGFdfSObhSiVJpoWyn57yVTEnm8ZxN5yQG4RWtikg8rxcIy6MwBaS8fvoCwK5Yuu8JXeT74pV5A6o 8qttUd4QHLXPzPjMbMn6zEQ3g8TR4P1u4BGXhNAElikSk0gpaYq/Fs+s6uvSv1Y3V+60=; Original-Received: from [84.212.220.105] (helo=downe) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ohCDa-0001EI-UN; Sat, 08 Oct 2022 17:58:29 +0200 In-Reply-To: <87bkqmqpvb.fsf@posteo.net> (Philip Kaludercic's message of "Sat, 08 Oct 2022 15:47:20 +0000") Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGPC/xhBQAAACBj SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAGFBMVEV9fmOGhYlNTUx2 dhCCgRWAfhOvx8b///8EnAsbAAAAAWJLR0QHFmGI6wAAAAd0SU1FB+YKCA80LXZkis4AAAGsSURB VDjLdZJbkuMgDEUFU9XfwArgUvnvQbCBuLKBxux/KyORdAd73DeOLesg9MBkvDfOeSJ5+pfUICIn f0PfcvNuPM0lbl4Hkf9FJ2CugfPJmUvgUkhnEGRpoPg/sEnhNSDnL4GBDMBegATyFJJbgCN4GyPB 2JDgfZLCBQQbIqyFNYgKjOwJI8BCZRGD3G2SLAEhkXn6nwyEiBiD/Cj++KMToMtSEJPE8Q0wwXwo sO+9NMcE0QqQamf4M0pDnKYjyEHOvFN/vdcKgKo5DBcx+RMxi5G5yHiYPmFj+xLQFELBV/xwmQpY lDtzUYPnq6SixvvG3Iaodx5D/bIK1LDd1N9H51XEKFm8U4t/UJVCtvryt5+wRnwH7vmhCVYJkALv eJTGJ6A9F9Ryk4i2gj9zFBXo7RBEPSNDr8oNC5IGc9aJ4MYV2wr2nFGkhMZ1rYC4yqTKXtB6le0W 0HYBTWZZ8glIx5v0v8lWBzAnqifSdpzB4L4h93KsSme+j54fteQDGC/1VnK/AkNa3d7jojEW0uex vpIvQOu7Alpee4N3Ejl5Hoc+nh9P4/Vz+AcsorMXoWMPvwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAy Mi0xMC0wOFQxNTo1Mjo0NSswMDowMBdIBDwAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjItMTAtMDhU MTU6NTI6NDUrMDA6MDBmFbyAAAAAAElFTkSuQmCC X-Now-Playing: Joni Mitchell's _The Hissing Of Summer Lawns_: "Shadows And Light" Received-SPF: pass client-ip=2a01:4f9:2b:f0f::2; envelope-from=larsi@gnus.org; helo=quimby.gnus.org X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:297205 Archived-At: Philip Kaludercic writes: > - The ability to install a package directly from source using > `package-vc-fetch' (aliased to `package-checkout'). This > functionality is ideally VC generic. > > - The ability to update a package using `package-upgrade'[0] > > - Package metadata can either be inferred from the package URL (see > `package-vc-heusitic-alist') or via explicit hints from an ELPA > server. I plan to add the necessary features to GNU and NonGNU ELPA > in time so that the heuristics can be avoided. > > - The ability to (i) contact, (ii) send bug reports and (iii) patches > (using the new `vc-patch-prepare') to package maintainers. Sounds like great functionality, but I wonder whether the security implications have been discussed? Today, we use GNU ELPA as a filter of sorts and people rely on code there not being compromised. I assume "hints from an ELPA server" is basically a list of links to git repositories? If that's the case, then we may well end up with pointing users towards repos that have been compromised. If we don't have such a list, then adding the basic functionality sounds useful anyway -- that is, allowing users to say `M-x package-install-from-repo' or something and then they type in the URL of that repo -- that's fine, and leaves the security implications to the user (where they already are today for people that install from external repos). But if we list these repos in `M-x list-packages', that's a very different issue.