From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philip Kaludercic Newsgroups: gmane.emacs.devel Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS Date: Sat, 08 Oct 2022 17:18:45 +0000 Message-ID: <8735byqlmy.fsf@posteo.net> References: <164484721900.31751.1453162457552427931@vcs2.savannah.gnu.org> <20220214140020.04438C00891@vcs2.savannah.gnu.org> <87bkqmqpvb.fsf@posteo.net> <871qris3xb.fsf@gnus.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="32844"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Lars Ingebrigtsen , emacs-devel@gnu.org To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 08 19:19:37 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ohDU9-0008KD-03 for ged-emacs-devel@m.gmane-mx.org; Sat, 08 Oct 2022 19:19:37 +0200 Original-Received: from localhost ([::1]:51640 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ohDU7-0005AL-EN for ged-emacs-devel@m.gmane-mx.org; Sat, 08 Oct 2022 13:19:35 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:33368) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohDTU-0004UB-Pv for emacs-devel@gnu.org; Sat, 08 Oct 2022 13:18:57 -0400 Original-Received: from mout02.posteo.de ([185.67.36.66]:46543) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohDTP-0003ai-7z for emacs-devel@gnu.org; Sat, 08 Oct 2022 13:18:56 -0400 Original-Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 8C49C240106 for ; Sat, 8 Oct 2022 19:18:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1665249528; bh=S2/6G5GRQAPTQGQ7aFSs3hMul2ccpCLPoqrTrYC8SQk=; h=From:To:Cc:Subject:Autocrypt:Date:From; b=aZvlvd/J5CbJsU+tqvtb/3rsqilm9rLhYXlPb/EwnOxHC3AUNYmLqZxuR+KDw714M 9DPYmc/NbmufuoYPCC2ZHdERTDsUzv+5YbgmfHfGvPaF5RyRuGqyfT/8OlILRgSEyN 4SMArS+HNgxWWONivYdRuX73ndk3bUKuPdfbDw12PMSuv7DatIFmjHrdtd747rDaYY eBD0VKs0LD1+AkiGg1nAgOH6THTCiASMIxSzGXD0txudtXYvIn6mOTne02Wztk82xe 8ftGTUDmAuP+75ZbwYf3Sd70CjX7dgv7xXnTBZPGR66Qbg+GWZugCO33bO4TpQImTr /23xEA9aDHVeA== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4MlBjL6C5lz9rxG; Sat, 8 Oct 2022 19:18:45 +0200 (CEST) In-Reply-To: (Stefan Monnier's message of "Sat, 08 Oct 2022 12:35:27 -0400") Autocrypt: addr=philipk@posteo.net; prefer-encrypt=nopreference; keydata= mDMEYHHqUhYJKwYBBAHaRw8BAQdAp3GdmYJ6tm5McweY6dEvIYIiry+Oz9rU4MH6NHWK0Ee0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiQBBMWCAA4FiEEDM2H44ZoPt9Ms0eHtVrAHPRh1FwFAmBx6lICGwMFCwkIBwIGFQoJ CAsCBBYCAwECHgECF4AACgkQtVrAHPRh1FyTkgEAjlbGPxFchvMbxzAES3r8QLuZgCxeAXunM9gh io0ePtUBALVhh9G6wIoZhl0gUCbQpoN/UJHI08Gm1qDob5zDxnIHuDgEYHHqUhIKKwYBBAGXVQEF AQEHQNcRB+MUimTMqoxxMMUERpOR+Q4b1KgncDZkhrO2ql1tAwEIB4h4BBgWCAAgFiEEDM2H44Zo Pt9Ms0eHtVrAHPRh1FwFAmBx6lICGwwACgkQtVrAHPRh1Fw1JwD/Qo7kvtib8jy7puyWrSv0MeTS g8qIxgoRWJE/KKdkCLEA/jb9b9/g8nnX+UcwHf/4VfKsjExlnND3FrBviXUW6NcB Received-SPF: pass client-ip=185.67.36.66; envelope-from=philipk@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:297211 Archived-At: Stefan Monnier writes: >> If we don't have such a list, then adding the basic functionality sounds >> useful anyway -- that is, allowing users to say `M-x >> package-install-from-repo' or something and then they type in the URL of >> that repo -- that's fine, and leaves the security implications to the >> user (where they already are today for people that install from external >> repos). > > Indeed there are 2 different steps: > - installing from a particular "URL" (well, a URL plus some extra side > info, tho that side info can be empty in many cases). AFAIK that's > what Philip's code currently offers. Correct. > - provide some way to let the user specify a package name and let > something else map that to a "URL". This is the more risky step and > I don't think his code implements that yet. Not sure how to address > the security issue at that step, other than by dumping the problem > onto the users: show them the URL and ask them if they're OK with it. This is implemented, the "something else" is just the package metadata. To me there seems to be no difference between trusting an archive that a tarball is safe or that a repository it points to is safe. > But as Philip points out, the (Non)GNU ELPA packages, while signed and > all, just blindly pull from those same URLs to build the tarballs, so > the difference is not as large as it seems. If it would make any difference, it would also be possible to inhibit the generation of autoloads. >> But if we list these repos in `M-x list-packages', that's a very >> different issue. > > It also depends on where the list comes from. > > > Stefan