unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* GNU ELPA security and Org-mode
@ 2017-04-06 15:04 Stefan Monnier
  2018-04-28 11:19 ` Bastien
  0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2017-04-06 15:04 UTC (permalink / raw)
  To: emacs-devel

I just realized that the GPG-signing we're doing in GNU ELPA is
weaker for the org-mode packages than for all other:

All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from
http://orgmode.org/elpa.

So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
  but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).

Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git.  This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,
tho).


        Stefan




^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2018-05-01  8:07 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-06 15:04 GNU ELPA security and Org-mode Stefan Monnier
2018-04-28 11:19 ` Bastien
2018-04-30  2:15   ` Stefan Monnier
2018-04-30  7:13     ` Bastien
2018-04-30 12:29       ` Stefan Monnier
2018-04-30 13:34         ` Bastien
2018-04-30 13:42           ` Stefan Monnier
2018-04-30 13:52             ` Stefan Monnier
2018-04-30 13:55             ` Bastien
2018-04-30 14:00               ` Stefan Monnier
2018-04-30 14:07                 ` Bastien
2018-04-30 16:37                   ` Stefan Monnier
2018-05-01  8:07                     ` Bastien
2018-04-30 14:10               ` Bastien
2018-04-30 14:18                 ` Stefan Monnier
2018-04-30 15:18                   ` Bastien
2018-04-30 15:37                     ` Stefan Monnier
2018-05-01  8:07                       ` Bastien

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).