From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Adam Porter Newsgroups: gmane.emacs.devel Subject: Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii Date: Sun, 29 Aug 2021 19:01:25 -0500 Message-ID: <878s0jztpm.fsf@alphapapa.net> References: <87h7f7zww5.fsf@alphapapa.net> <0d8b81d8-e923-dc17-e815-3b1082a20a12@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="19194"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Aug 30 02:03:49 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mKUmD-0004m6-0g for ged-emacs-devel@m.gmane-mx.org; Mon, 30 Aug 2021 02:03:49 +0200 Original-Received: from localhost ([::1]:50400 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mKUmB-0006AN-0R for ged-emacs-devel@m.gmane-mx.org; Sun, 29 Aug 2021 20:03:47 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58060) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mKUkA-0004yf-OV for emacs-devel@gnu.org; Sun, 29 Aug 2021 20:01:47 -0400 Original-Received: from ciao.gmane.io ([116.202.254.214]:36950) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mKUk8-0005QT-SK for emacs-devel@gnu.org; Sun, 29 Aug 2021 20:01:42 -0400 Original-Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1mKUk6-0002T1-Tb for emacs-devel@gnu.org; Mon, 30 Aug 2021 02:01:38 +0200 X-Injected-Via-Gmane: http://gmane.org/ Received-SPF: pass client-ip=116.202.254.214; envelope-from=ged-emacs-devel@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:273445 Archived-At: Clément Pit-Claudel writes: > On 8/29/21 6:52 PM, Adam Porter wrote: >> Hi Stefan, et al, >> >> Having added taxy.el to ELPA, I noticed that its README.org file isn't >> very readable on the ELPA site, because it's rendered as a raw file, >> including long lines that extend beyond the edge of the HTML PRE block, >> raw Org-syntax, etc. >> >> Thankfully, Org has an ASCII/UTF-8 export backend that cleanly renders >> Org to plain text. It only took a few lines of to make use of it. >> Please see the attached patches. (While I was at it, I took the liberty >> of adding a couple of docstrings and renaming a few variables to help me >> understand the code.) > > How much does security matter in this case? AFAIR exporting an Org > file can run arbitrary code; would this patch allow a package in ELPA > to subvert the build process of another package? > > And if so, is that a problem, or is there sufficient scrutiny of the > inputs to ELPA? IIRC any package author can push to ELPA and updates > will propagate immediately, so the worry would be that in the time > between the introduction of a worm and its detection a large number of > end users might install bad code. Hi Clément, Yes, that's a good question. I don't know if I can fully answer it, myself. I would guess that those who have commit access to ELPA are considered trusted, and regardless of potentially using Org Export while building packages, those committers could already add malicious code that could end up being distributed to users until someone noticed and reverted the changes. Also, AFAIU, ELPA already runs Makefiles for packages as part of the build process, and those can run arbitrary code, which I guess could do things like modify other packages, modify the build process or scripts, or anything else that the user account the build process runs as could do on the server. So, based on my understanding, this change wouldn't make the build process less secure, per se. One might say that it could offer a new way in which to obfuscate or hide malicious code, but I'd guess that, since we already seem to trust the people who can commit to ELPA now, this wouldn't change the status quo. Please let me know if I'm missing something. :) Thanks.