unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: package.el + DVCS for security and convenience
Date: Mon, 07 Jan 2013 09:47:57 -0500	[thread overview]
Message-ID: <877gnpkq1u.fsf@lifelogs.com> (raw)
In-Reply-To: 87bod1bvhg.fsf@uwakimon.sk.tsukuba.ac.jp

On Mon, 07 Jan 2013 11:03:07 +0900 "Stephen J. Turnbull" <stephen@xemacs.org> wrote: 

SJT> Ted Zlatanov writes:
>> I'm actually suggesting that the GNU ELPA maintainers (note the "GNU
>> ELPA" part here, this is not any ELPA maintainer) should review and sign
>> *every* commit to the GNU ELPA.

SJT> I have no idea what you think you're proposing.

I hope that doesn't make my proposal less ideal.

SJT> Security reviews are expensive; I doubt you'll have anybody willing
SJT> to maintain GNU ELPA after a couple of months of that, unless you
SJT> pay handsomely, or you enlist a maintainer per package or so to
SJT> reduce the burden on individual maintainers to a manageable level.

Trust is expensive.  The alternative is to say "trust this code, though
we don't know what it is."  That's the current state of affairs.

There is certainly review of code that goes into GNU Emacs itself.  A
security exploit would be caught quickly (I hope, based on previous
cases like the file-local variable exploits).  It's not as high-profile
as the Linux kernel, perhaps, but still an important target.

The GNU ELPA, being enabled by default, should be treated the same.  But
because it's a network resource, we must use signatures to indicate
files in the GNU ELPA can be trusted, since we don't package the GNU
ELPA with Emacs itself.

In other words, we're building a web of trust around GNU Emacs because
we want to be able to install parts of it (hosted in the GNU ELPA)
optionally and over the network.  That's where "trust" matters.

I never said it would be cheap or easy to do this.  But I think the FSF
and GNU volunteers can handle the task, and I firmly believe reviewing
Emacs Lisp code is much easier than C, C++, Perl, etc. code.  I'll
volunteer my own time for these reviews, unless of course you or others
are opposed because it would make me a "security tzar" or because it's
felt I'm unqualified.  As I said, the alternative is the current "just
trust whatever we put online" model, which is certainly cheap to run.

SJT> The obvious candidates for the latter are the authors.

No.

SJT> If they are not security reviews, what's the point of reviewing at
SJT> all?  You just want signed commits, verifying that the commit was
SJT> actually received at the GNU ELPA.  AFAICS this can be done by a bot,
SJT> which checks the authors' signatures on the commits.

No.

Ted




  reply	other threads:[~2013-01-07 14:47 UTC|newest]

Thread overview: 101+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-09 14:41 ELPA security George Kadianakis
2012-12-09 21:00 ` Nic Ferrier
2012-12-21 14:32 ` Ted Zlatanov
2012-12-21 22:12   ` Xue Fuqiao
2012-12-22  5:07   ` Bastien
2012-12-22  6:17     ` Xue Fuqiao
2012-12-22 12:34       ` Stephen J. Turnbull
2012-12-22 13:03         ` Bastien
2012-12-22 13:24           ` Bastien
2012-12-22 19:37             ` package.el + DVCS for security and convenience (was: ELPA security) Ted Zlatanov
2012-12-24 12:53               ` package.el + DVCS for security and convenience Nic Ferrier
2012-12-24 12:55                 ` Bastien
2012-12-24 13:38                   ` Ted Zlatanov
2012-12-24 13:39                   ` Xue Fuqiao
2012-12-24 16:17               ` Stefan Monnier
2012-12-24 17:46                 ` Ted Zlatanov
2012-12-25  1:03                   ` Stephen J. Turnbull
2012-12-26 14:22                     ` Ted Zlatanov
2012-12-27  3:06                       ` Stephen J. Turnbull
2012-12-27  8:56                         ` Xue Fuqiao
2012-12-31 11:18                         ` Ted Zlatanov
2012-12-31 12:32                           ` Stephen J. Turnbull
2012-12-31 13:50                             ` Ted Zlatanov
2012-12-31 16:47                               ` Stephen J. Turnbull
2012-12-31 21:41                                 ` Ted Zlatanov
2012-12-29  6:19                   ` Stefan Monnier
2012-12-31 11:22                     ` Ted Zlatanov
2013-01-03 16:41                       ` Stefan Monnier
2013-01-04 16:05                         ` Ted Zlatanov
2013-01-04 18:11                           ` Stefan Monnier
2013-01-04 19:06                             ` Ted Zlatanov
2013-01-05  3:25                               ` Stephen J. Turnbull
2013-01-06 19:20                                 ` Ted Zlatanov
2013-01-07  2:03                                   ` Stephen J. Turnbull
2013-01-07 14:47                                     ` Ted Zlatanov [this message]
2013-01-08  1:44                                       ` Stephen J. Turnbull
2013-01-08 15:15                                         ` Ted Zlatanov
2013-01-08 17:53                                           ` Stephen J. Turnbull
2013-01-08 18:46                                             ` Ted Zlatanov
2013-01-08 21:20                                             ` Stefan Monnier
2013-01-09  2:37                                               ` Stephen J. Turnbull
2013-01-08  2:20                                       ` Stephen J. Turnbull
2013-01-08 14:05                                         ` Xue Fuqiao
2013-01-04 22:21                           ` Xue Fuqiao
2012-12-31 20:06               ` Re:package.el + DVCS for security and convenience (was: ELPA security) Phil Hagelberg
2012-12-31 22:50                 ` package.el + DVCS for security and convenience Ted Zlatanov
2012-12-22 16:20   ` ELPA security Stefan Monnier
2012-12-26 17:32     ` Paul Nathan
2012-12-31 11:50       ` Ted Zlatanov
2012-12-31 12:34         ` Stephen J. Turnbull
2012-12-31 13:39         ` Package signing infrastructure suggestion (was Re: ELPA security) Nic Ferrier
2012-12-31 22:32           ` Ted Zlatanov
2012-12-31 23:01             ` Xue Fuqiao
2012-12-31 19:48         ` ELPA security Tom Tromey
2012-12-31 19:57           ` Drew Adams
2012-12-31 22:19             ` Ted Zlatanov
2012-12-31 22:15           ` Ted Zlatanov
2013-01-05 16:46   ` Achim Gratz
2013-01-06 19:12     ` Ted Zlatanov
2013-01-07  5:32       ` Paul Nathan
2013-01-07  5:47         ` Jambunathan K
2013-01-07  5:53           ` Paul Nathan
2013-01-07  6:09             ` Jambunathan K
2013-01-07  6:20               ` Paul Nathan
2013-01-07  7:12               ` Stephen J. Turnbull
2013-01-07  7:18               ` chad
2013-01-07 14:34               ` Ted Zlatanov
2013-01-07  6:57           ` Stephen J. Turnbull
2013-01-07 14:35           ` Ted Zlatanov
2013-01-07 15:01         ` Ted Zlatanov
2013-01-08  3:07           ` Stefan Monnier
2013-01-08 14:47             ` Ted Zlatanov
2013-01-08 16:57               ` Stefan Monnier
2013-01-08 17:30                 ` Ted Zlatanov
2013-01-08 20:50                   ` Stefan Monnier
2013-01-08 21:30                     ` Ted Zlatanov
2013-01-08 22:46                       ` Stefan Monnier
2013-01-08 23:30                         ` Ted Zlatanov
2013-03-12 18:29                           ` Ted Zlatanov
2013-01-08 17:00               ` Stefan Monnier
2013-01-08 17:59                 ` Achim Gratz
2013-01-08 18:37                   ` Ted Zlatanov
2013-01-08 20:59                   ` Stefan Monnier
2013-06-16 11:18                     ` Ted Zlatanov
2013-06-16 23:12                       ` Stefan Monnier
2013-06-17  1:56                         ` Stephen J. Turnbull
2013-06-17  7:23                           ` Ted Zlatanov
2013-06-17 15:54                             ` Stephen J. Turnbull
2013-06-28 15:34                               ` Ted Zlatanov
2013-06-17 14:34                           ` Stefan Monnier
2013-06-17  7:20                         ` Ted Zlatanov
2013-06-19  5:02                           ` Ted Zlatanov
2013-06-19 12:38                             ` Stefan Monnier
2013-06-23 11:58                             ` Ted Zlatanov
2013-06-23 16:41                               ` Stefan Monnier
2013-06-28 15:47                                 ` Ted Zlatanov
2013-06-28 16:28                                   ` Nic Ferrier
2013-06-28 22:49                                   ` Stefan Monnier
2013-06-24  3:44                               ` Daiki Ueno
2013-06-28 15:32                                 ` Ted Zlatanov
2013-06-28 16:15                                   ` Daiki Ueno

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=877gnpkq1u.fsf@lifelogs.com \
    --to=tzz@lifelogs.com \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).