From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Husain Alshehhi Newsgroups: gmane.emacs.devel Subject: Security in the emacs package ecosystem Date: Sun, 15 May 2022 20:53:31 +0000 Message-ID: <8735hatt4m.fsf@alshehhi.io> Reply-To: Husain Alshehhi Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="30465"; mail-complaints-to="usenet@ciao.gmane.io" To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon May 16 04:21:30 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nqQMS-0007kd-Om for ged-emacs-devel@m.gmane-mx.org; Mon, 16 May 2022 04:21:29 +0200 Original-Received: from localhost ([::1]:51140 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nqQMR-00026W-Je for ged-emacs-devel@m.gmane-mx.org; Sun, 15 May 2022 22:21:27 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:36108) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nqLFP-0003hB-Jf for emacs-devel@gnu.org; Sun, 15 May 2022 16:53:51 -0400 Original-Received: from mail-4323.proton.ch ([185.70.43.23]:20527) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nqLFM-00046K-2h for emacs-devel@gnu.org; Sun, 15 May 2022 16:53:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alshehhi.io; s=protonmail3; t=1652648016; bh=2b12bqKoxaXPC1lr1S53SGyg+3wTjQsJqcveFciPNbM=; h=Date:To:From:Reply-To:Subject:Message-ID:Feedback-ID:From:To:Cc: Date:Subject:Reply-To:Feedback-ID:Message-ID; b=VRPOMrmlGVASYbi/JwEDsVyjW3ieRxZV2z3hZpsUydEnTuPtNFCDVHDV4DqbPTbbf InIi6Sil/v05hpOwaKFT9Lg36QnVqzvBKtaq9MSq2051NxzybK6MKUUBal6uVEK+o9 zul1t+uFlunOUy4TPtgWchmPQGd6cxiBLNLJNJ1hp70MOavK1Mn6+fa5v6hob8Japf WrKjCMxcV00h6V5UzuAor6HFVnIlKgstLY/ErWOG+Dxbk9v7x9iFA01wNuWT6YVKvI MmK/iy5Uh9OJmGPqN4VhjSNvEWwmRhymUdp9AuTRbJTdeTR9fbf+w32Qx2ahLGgLoK OKOlBiC34Rbpg== Feedback-ID: 31127354:user:proton Received-SPF: pass client-ip=185.70.43.23; envelope-from=husain@alshehhi.io; helo=mail-4323.proton.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sun, 15 May 2022 22:20:02 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289801 Archived-At: Hello, This issue is not new and seems to have been discussed before: I was wondering if things have changed since then. To summarize: most users in emacs downloads packages directly from the git = repository. This is a security threat as there is nothing to prevent a mali= cious change from going to users. The malicious change could be posted thro= ugh a hack, or could be posted by the owner of the package (in extreme case= s). Is there anything currently in the ecosystem, or package repository, to= prevent these sorts of issues? Are there any initiatives or ideas to addre= ss these issues? If not, what is the recommended (and practical) ways to be= safe? (Some solutions that are typically thrown out: manual code review of every = package installed. Use distro package manager and have emacs packages go th= rough the normal package review process of each distro. Package signing. me= lpa/elpa stamp of approval.) Husain