From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: package.el + DVCS for security and convenience Date: Mon, 07 Jan 2013 09:47:57 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <877gnpkq1u.fsf@lifelogs.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87obhmzl2f.fsf@bzg.ath.cx> <20121222141742.7494b429fe36e5ccef50cf6f@gmail.com> <87d2y2w9j5.fsf@uwakimon.sk.tsukuba.ac.jp> <87wqwas0gr.fsf@bzg.ath.cx> <87d2y2p6d7.fsf@bzg.ath.cx> <87sj6xg9p2.fsf_-_@lifelogs.com> <87k3s78hsc.fsf@lifelogs.com> <87ehi65uv4.fsf@lifelogs.com> <87hamxndc7.fsf@lifelogs.com> <87y5g8n4y1.fsf@lifelogs.com> <87lic8b9ai.fsf@uwakimon.sk.tsukuba.ac.jp> <87zk0mktir.fsf@lifelogs.com> <87bod1bvhg.fsf@uwakimon.sk.tsukuba.ac.jp> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1357570514 4818 80.91.229.3 (7 Jan 2013 14:55:14 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 7 Jan 2013 14:55:14 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 07 15:55:29 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TsE6m-0005l3-Gf for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 15:55:24 +0100 Original-Received: from localhost ([::1]:50132 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsE6W-0005VZ-SG for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 09:55:08 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:57811) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsE6T-0005Tq-9B for emacs-devel@gnu.org; Mon, 07 Jan 2013 09:55:07 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TsE6R-0001yX-Kd for emacs-devel@gnu.org; Mon, 07 Jan 2013 09:55:05 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:52470) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TsE6R-0001wm-CK for emacs-devel@gnu.org; Mon, 07 Jan 2013 09:55:03 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1TsE6X-0005TE-69 for emacs-devel@gnu.org; Mon, 07 Jan 2013 15:55:09 +0100 Original-Received: from c-65-96-148-157.hsd1.ma.comcast.net ([65.96.148.157]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 07 Jan 2013 15:55:09 +0100 Original-Received: from tzz by c-65-96-148-157.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 07 Jan 2013 15:55:09 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 53 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-65-96-148-157.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:MU9Zm7Oe+0UNGc4QynLhokRhPaM= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156116 Archived-At: On Mon, 07 Jan 2013 11:03:07 +0900 "Stephen J. Turnbull" wrote: SJT> Ted Zlatanov writes: >> I'm actually suggesting that the GNU ELPA maintainers (note the "GNU >> ELPA" part here, this is not any ELPA maintainer) should review and sign >> *every* commit to the GNU ELPA. SJT> I have no idea what you think you're proposing. I hope that doesn't make my proposal less ideal. SJT> Security reviews are expensive; I doubt you'll have anybody willing SJT> to maintain GNU ELPA after a couple of months of that, unless you SJT> pay handsomely, or you enlist a maintainer per package or so to SJT> reduce the burden on individual maintainers to a manageable level. Trust is expensive. The alternative is to say "trust this code, though we don't know what it is." That's the current state of affairs. There is certainly review of code that goes into GNU Emacs itself. A security exploit would be caught quickly (I hope, based on previous cases like the file-local variable exploits). It's not as high-profile as the Linux kernel, perhaps, but still an important target. The GNU ELPA, being enabled by default, should be treated the same. But because it's a network resource, we must use signatures to indicate files in the GNU ELPA can be trusted, since we don't package the GNU ELPA with Emacs itself. In other words, we're building a web of trust around GNU Emacs because we want to be able to install parts of it (hosted in the GNU ELPA) optionally and over the network. That's where "trust" matters. I never said it would be cheap or easy to do this. But I think the FSF and GNU volunteers can handle the task, and I firmly believe reviewing Emacs Lisp code is much easier than C, C++, Perl, etc. code. I'll volunteer my own time for these reviews, unless of course you or others are opposed because it would make me a "security tzar" or because it's felt I'm unqualified. As I said, the alternative is the current "just trust whatever we put online" model, which is certainly cheap to run. SJT> The obvious candidates for the latter are the authors. No. SJT> If they are not security reviews, what's the point of reviewing at SJT> all? You just want signed commits, verifying that the commit was SJT> actually received at the GNU ELPA. AFAICS this can be done by a bot, SJT> which checks the authors' signatures on the commits. No. Ted