From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: George Kadianakis Newsgroups: gmane.emacs.devel Subject: ELPA security Date: Sun, 09 Dec 2012 16:41:50 +0200 Message-ID: <8738zf70ep.fsf@riseup.net> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1355070737 22813 80.91.229.3 (9 Dec 2012 16:32:17 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 9 Dec 2012 16:32:17 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Dec 09 17:32:28 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Thjnn-0003IJ-O7 for ged-emacs-devel@m.gmane.org; Sun, 09 Dec 2012 17:32:27 +0100 Original-Received: from localhost ([::1]:40727 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Thjnb-0005Ec-8H for ged-emacs-devel@m.gmane.org; Sun, 09 Dec 2012 11:32:15 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:57079) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Thi4v-0003KU-QM for emacs-devel@gnu.org; Sun, 09 Dec 2012 09:42:04 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Thi4t-0000o8-BX for emacs-devel@gnu.org; Sun, 09 Dec 2012 09:42:01 -0500 Original-Received: from mx1.riseup.net ([198.252.153.129]:50402) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Thi4t-0000nz-69 for emacs-devel@gnu.org; Sun, 09 Dec 2012 09:41:59 -0500 Original-Received: from fulvetta.riseup.net (fulvetta-pn.riseup.net [10.0.1.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id 9F1D54C13E for ; Sun, 9 Dec 2012 06:41:57 -0800 (PST) Original-Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: desnacked@riseup.net) with ESMTPSA id 5A5D5156 User-Agent: Microsoft Outlook Express 6.00.2900.5843 X-Virus-Scanned: clamav-milter 0.97.6 at mx1 X-Virus-Status: Clean X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 198.252.153.129 X-Mailman-Approved-At: Sun, 09 Dec 2012 11:32:14 -0500 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:155400 Archived-At: Hi, I've been looking into ELPA (the Emacs Lisp Package Archive) and I noticed that package.el provides no security of any kind. It doesn't do signatures, SSL, timestamps or anything. Are you actually considering deploying a system that downloads untrusted code from the Internet every time a user asks for a new package or asks to upgrade his current packages? Package management is serious business [0]. It's sad to see ELPA approaching the problem so insecurely. Can't you at the very least, enable HTTPS on tromey.com and pin its public key on package.el? Thanks! [0]: http://isis.poly.edu/~jcappos/papers/cappos_pmsec_tr08-02.pdf https://www.cs.arizona.edu/stork/packagemanagersecurity/ or just search google for "package manager security".