From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.devel
Subject: Re: ELPA security
Date: Mon, 31 Dec 2012 17:15:17 -0500
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
Message-ID: <877gnx27ii.fsf@lifelogs.com>
References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com>
	<jwv1ueim58e.fsf-monnier+emacs@gnu.org>
	<CALXzQZh0T9KPrrXRMERhHx+zv_mpdR-V-hTU2NWJDbqP9OoL-g@mail.gmail.com>
	<87623i5tld.fsf@lifelogs.com> <87ehi6j943.fsf@fleche.redhat.com>
Reply-To: emacs-devel@gnu.org
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1356992132 947 80.91.229.3 (31 Dec 2012 22:15:32 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 31 Dec 2012 22:15:32 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Dec 31 23:15:48 2012
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Tpne7-0000re-2s
	for ged-emacs-devel@m.gmane.org; Mon, 31 Dec 2012 23:15:47 +0100
Original-Received: from localhost ([::1]:53706 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Tpndr-0005fo-S0
	for ged-emacs-devel@m.gmane.org; Mon, 31 Dec 2012 17:15:31 -0500
Original-Received: from eggs.gnu.org ([208.118.235.92]:45545)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1Tpndo-0005fc-Jw
	for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:15:30 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1Tpndn-0001rK-HU
	for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:15:28 -0500
Original-Received: from plane.gmane.org ([80.91.229.3]:34359)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1Tpndn-0001rB-Am
	for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:15:27 -0500
Original-Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1Tpne0-0000o3-UA
	for emacs-devel@gnu.org; Mon, 31 Dec 2012 23:15:40 +0100
Original-Received: from c-65-96-148-157.hsd1.ma.comcast.net ([65.96.148.157])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Mon, 31 Dec 2012 23:15:40 +0100
Original-Received: from tzz by c-65-96-148-157.hsd1.ma.comcast.net with local (Gmexim
	0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Mon, 31 Dec 2012 23:15:40 +0100
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: emacs-devel@gnu.org
Original-Lines: 35
Original-X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: c-65-96-148-157.hsd1.ma.comcast.net
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux)
Cancel-Lock: sha1:6lWa4gr+VTqcObB2KzTKzQHoXz4=
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.229.3
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:156047
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/156047>

On Mon, 31 Dec 2012 12:48:44 -0700 Tom Tromey <tromey@redhat.com> wrote: 

>>>>>> "Ted" == Ted Zlatanov <tzz@lifelogs.com> writes:
Ted> 1. add DVCS support to package.el, supporting Git and Bazaar, with the
Ted> notion of "pull packages from repo X at tag/commit Y" in addition to the
Ted> current "pull packages from URLs".  The VC package has to be involved
Ted> here, instead of writing custom code.

Tom> What is the reason for this?

Right now, it's easy to change the DNS entry for the GNU ELPA and
compromise a user's machine completely.

I proposed a way for package.el to verify packages by looking at signed
DVCS commits (Bazaar) or tags (Git).  This uses public-key cryptography,
which fits well with the decentralized operation of package.el, and
these DVCSs are available on most modern platforms that can run Emacs.
Please see my previous posts to emacs-devel for the details.

Tom> FWIW, I considered and rejected this approach when writing package.el.
Tom> My reason was that I wanted packaging not to require any external tools,
Tom> so it would be available to all Emacs users.  Also, KISS.

OK.  KISS doesn't address package security, unfortunately.  How would
you suggest we verify the packages you've downloaded?  Plain HTTP and
HTTP/S are not sufficient.  We need to build the equivalent of the DVCS
signed commits/tags, in my opinion, and I'd live to avoid that extra
work.  The VC package, present in Emacs already, could provide this.

Tom> Mixing in VC seems to add a lot of potential failure modes.

The current situation is bad enough to warrant this work and potential
complications.  I am open to alternative suggestions.

Ted