From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Philip Kaludercic <philipk@posteo.net>
Newsgroups: gmane.emacs.devel
Subject: Re: Where should security issues with GNU ELPA packages be reported?
Date: Thu, 28 Mar 2024 16:07:44 +0000
Message-ID: <878r225ohb.fsf@posteo.net>
References: <87cyreo4np.fsf@ice9.digital>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="8865"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: emacs-devel@gnu.org,
To: Morgan Willcock <morgan@ice9.digital>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Mar 28 17:08:40 2024
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1rpsIx-00024i-9T
	for ged-emacs-devel@m.gmane-mx.org; Thu, 28 Mar 2024 17:08:39 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1rpsIC-0001dC-L4; Thu, 28 Mar 2024 12:07:52 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philipk@posteo.net>)
 id 1rpsIA-0001cJ-DK
 for emacs-devel@gnu.org; Thu, 28 Mar 2024 12:07:50 -0400
Original-Received: from mout02.posteo.de ([185.67.36.66])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philipk@posteo.net>)
 id 1rpsI8-0005Bn-E9
 for emacs-devel@gnu.org; Thu, 28 Mar 2024 12:07:50 -0400
Original-Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id C6909240103
 for <emacs-devel@gnu.org>; Thu, 28 Mar 2024 17:07:45 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1711642065; bh=KxWluAYGfxdVcBt/BYOYJnl8F37OruPFY8BteY4Mt4A=;
 h=From:To:Cc:Subject:OpenPGP:Date:Message-ID:MIME-Version:
 Content-Type:From;
 b=ZKAIPdZ1f5S4lcYwoOxQUJDL9vR//cVZkTDsEBDRXMCyVROlZF1OXnTW60azEPaOV
 K1NQmKFui1WgSxEjtjWosPjt7ITtcX8IgaE6HPjMNiy1xbziSLc97LLRSo7lj/fLSk
 heki5OjV/zBpAACKjxilszTqzWjjdSqXjtc7i1bgYSeGmp4JoKR3BDAdmBIrTZMRIW
 xiyLG6gFsCu1TWRdfng1roovA9g5VOFrqT+Y28IDA173g2QXZwIln6ph5umVrNEy2o
 A3Zyddz9Ulwgac7JCqRJe8xQyfCSgNjVbxYrAtEq3W7ujxOK7EyFOjW7czJjrMx6OZ
 gf8XwozGPUIpQ==
Original-Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4V57jY1gx9z9rxK;
 Thu, 28 Mar 2024 17:07:45 +0100 (CET)
In-Reply-To: <87cyreo4np.fsf@ice9.digital> (Morgan Willcock's message of "Thu, 
 28 Mar 2024 13:40:58 +0000")
OpenPGP: id=7126E1DE2F0CE35C770BED01F2C3CC513DB89F66;
 url="https://keys.openpgp.org/vks/v1/by-fingerprint/7126E1DE2F0CE35C770BED01F2C3CC513DB89F66";
 preference=signencrypt
Received-SPF: pass client-ip=185.67.36.66; envelope-from=philipk@posteo.net;
 helo=mout02.posteo.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:317362
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/317362>

Morgan Willcock <morgan@ice9.digital> writes:

> I think I have found a security issue with a package which is
> distributed on GNU ELPA, and I am unsure who to notify.
>
> Given that the package is technically part of Emacs, do I follow
> whatever the procedure would be for disclosing security problems with
> Emacs?  If so, what is that procedure?
>
> Or should I e-mail the package author first?
>
> Given that it is not the package author who is distributing the package,
> I am unsure what to do.

It would probably be better to message the maintainer first, if there is
no explicit maintainer you can check elpa.git to infer who is
responsible.  Can you disclose what package you are concerned about?

-- 
	Philip Kaludercic on peregrine