From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Emanuel Berg <incal@dataswamp.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Where should security issues with GNU ELPA packages be reported?
Date: Thu, 28 Mar 2024 15:53:09 +0100
Message-ID: <8734saxvai.fsf@dataswamp.org>
References: <87cyreo4np.fsf@ice9.digital>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="35859"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
To: emacs-devel@gnu.org
Cancel-Lock: sha1:K7qwG4ldrQmHuSOewwxwsyeFCno=
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Mar 28 19:59:05 2024
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1rpuxs-00095l-AQ
	for ged-emacs-devel@m.gmane-mx.org; Thu, 28 Mar 2024 19:59:04 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1rpux2-0001kG-HX; Thu, 28 Mar 2024 14:58:12 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ged-emacs-devel@m.gmane-mx.org>)
 id 1rpr89-0006j6-Ii
 for emacs-devel@gnu.org; Thu, 28 Mar 2024 10:53:25 -0400
Original-Received: from ciao.gmane.io ([116.202.254.214])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ged-emacs-devel@m.gmane-mx.org>)
 id 1rpr87-0006j9-B0
 for emacs-devel@gnu.org; Thu, 28 Mar 2024 10:53:24 -0400
Original-Received: from list by ciao.gmane.io with local (Exim 4.92)
 (envelope-from <ged-emacs-devel@m.gmane-mx.org>) id 1rpr82-0008Ou-0A
 for emacs-devel@gnu.org; Thu, 28 Mar 2024 15:53:18 +0100
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: emacs-devel@gnu.org
Mail-Copies-To: never
Received-SPF: pass client-ip=116.202.254.214;
 envelope-from=ged-emacs-devel@m.gmane-mx.org; helo=ciao.gmane.io
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9,
 HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Mailman-Approved-At: Thu, 28 Mar 2024 14:58:11 -0400
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:317367
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/317367>

Morgan Willcock wrote:

> I think I have found a security issue with a package which
> is distributed on GNU ELPA, and I am unsure who to notify.
>
> Given that the package is technically part of Emacs, do
> I follow whatever the procedure would be for disclosing
> security problems with Emacs? If so, what is that procedure?
>
> Or should I e-mail the package author first?

Good idea, after that you can post here or use
`report-emacs-bug'.

-- 
underground experts united
https://dataswamp.org/~incal