From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Mon, 31 Dec 2012 17:15:17 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <877gnx27ii.fsf@lifelogs.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87623i5tld.fsf@lifelogs.com> <87ehi6j943.fsf@fleche.redhat.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1356992132 947 80.91.229.3 (31 Dec 2012 22:15:32 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 31 Dec 2012 22:15:32 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Dec 31 23:15:48 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tpne7-0000re-2s for ged-emacs-devel@m.gmane.org; Mon, 31 Dec 2012 23:15:47 +0100 Original-Received: from localhost ([::1]:53706 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tpndr-0005fo-S0 for ged-emacs-devel@m.gmane.org; Mon, 31 Dec 2012 17:15:31 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:45545) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tpndo-0005fc-Jw for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:15:30 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Tpndn-0001rK-HU for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:15:28 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:34359) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tpndn-0001rB-Am for emacs-devel@gnu.org; Mon, 31 Dec 2012 17:15:27 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Tpne0-0000o3-UA for emacs-devel@gnu.org; Mon, 31 Dec 2012 23:15:40 +0100 Original-Received: from c-65-96-148-157.hsd1.ma.comcast.net ([65.96.148.157]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 31 Dec 2012 23:15:40 +0100 Original-Received: from tzz by c-65-96-148-157.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 31 Dec 2012 23:15:40 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 35 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-65-96-148-157.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:6lWa4gr+VTqcObB2KzTKzQHoXz4= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156047 Archived-At: On Mon, 31 Dec 2012 12:48:44 -0700 Tom Tromey wrote: >>>>>> "Ted" == Ted Zlatanov writes: Ted> 1. add DVCS support to package.el, supporting Git and Bazaar, with the Ted> notion of "pull packages from repo X at tag/commit Y" in addition to the Ted> current "pull packages from URLs". The VC package has to be involved Ted> here, instead of writing custom code. Tom> What is the reason for this? Right now, it's easy to change the DNS entry for the GNU ELPA and compromise a user's machine completely. I proposed a way for package.el to verify packages by looking at signed DVCS commits (Bazaar) or tags (Git). This uses public-key cryptography, which fits well with the decentralized operation of package.el, and these DVCSs are available on most modern platforms that can run Emacs. Please see my previous posts to emacs-devel for the details. Tom> FWIW, I considered and rejected this approach when writing package.el. Tom> My reason was that I wanted packaging not to require any external tools, Tom> so it would be available to all Emacs users. Also, KISS. OK. KISS doesn't address package security, unfortunately. How would you suggest we verify the packages you've downloaded? Plain HTTP and HTTP/S are not sufficient. We need to build the equivalent of the DVCS signed commits/tags, in my opinion, and I'd live to avoid that extra work. The VC package, present in Emacs already, could provide this. Tom> Mixing in VC seems to add a lot of potential failure modes. The current situation is bad enough to warrant this work and potential complications. I am open to alternative suggestions. Ted