From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Jambunathan K <kjambunathan@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: ELPA security
Date: Mon, 07 Jan 2013 11:17:36 +0530
Message-ID: <87bod1h7d3.fsf@gmail.com>
References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com>
	<87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com>
	<CALXzQZg953oz_WnvKH8d93fXzetcHZwCNqq7HPRzLyN-NOrusw@mail.gmail.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1357537669 13371 80.91.229.3 (7 Jan 2013 05:47:49 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 7 Jan 2013 05:47:49 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 07 06:48:05 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Ts5Z6-0004d5-KG
	for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 06:48:04 +0100
Original-Received: from localhost ([::1]:42610 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Ts5Yq-00062t-N9
	for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 00:47:48 -0500
Original-Received: from eggs.gnu.org ([208.118.235.92]:52251)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kjambunathan@gmail.com>) id 1Ts5Yo-00062a-HY
	for emacs-devel@gnu.org; Mon, 07 Jan 2013 00:47:47 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kjambunathan@gmail.com>) id 1Ts5Yn-0006Im-KP
	for emacs-devel@gnu.org; Mon, 07 Jan 2013 00:47:46 -0500
Original-Received: from mail-pa0-f43.google.com ([209.85.220.43]:41233)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kjambunathan@gmail.com>) id 1Ts5Yn-0006Hu-E6
	for emacs-devel@gnu.org; Mon, 07 Jan 2013 00:47:45 -0500
Original-Received: by mail-pa0-f43.google.com with SMTP id fb10so10525213pad.30
	for <emacs-devel@gnu.org>; Sun, 06 Jan 2013 21:47:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=x-received:from:to:cc:subject:references:date:in-reply-to
	:message-id:user-agent:mime-version:content-type;
	bh=EIyTwu5pUHZvPa7+CrFgv/f2hNxmd9nlpnHDoGsqCB4=;
	b=EkqJ+E1GMV3n8THyaFhVOnrbKnTfmqE1JUxPXiIZWHJf3zf38LSzoYYyFHgMBBh+VX
	kn0NJI/9nnx2dVEjXTFdMHorUNhN5V6offFsc9+nWicplxiUB8MBcBy87GlHN8eMajxq
	VsYyeuCozZtx0kuMehdwL/K4rD7zWcM4FKsrW4LGWOnI2CweogLdKxqZyCRazPY4epPJ
	USetkrddO9Gxlvp5q9h2kTreNx/5pFO3imgVUDY5HNzC0iyEDxuJEQ7Zm8aOL/LDJGXd
	dOmYlDDBHz1sSNB4ezm9QlY9BQwm7N0uV2WzoLy0q9W7P+D0Xttm2/Ja7mdEvSrAAaU1
	zH3A==
X-Received: by 10.68.247.39 with SMTP id yb7mr186383700pbc.15.1357537664569;
	Sun, 06 Jan 2013 21:47:44 -0800 (PST)
Original-Received: from debian-6.05 ([101.63.135.210])
	by mx.google.com with ESMTPS id a9sm2352139pav.24.2013.01.06.21.47.41
	(version=TLSv1/SSLv3 cipher=OTHER);
	Sun, 06 Jan 2013 21:47:43 -0800 (PST)
In-Reply-To: <CALXzQZg953oz_WnvKH8d93fXzetcHZwCNqq7HPRzLyN-NOrusw@mail.gmail.com>
	(Paul Nathan's message of "Sun, 6 Jan 2013 21:32:11 -0800")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 209.85.220.43
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:156105
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/156105>


If GNU packages come with no warranty of any sort, I am wondering why
all this fuzz.

If I am downloading a package from a trustworthy site - "certified" by a
legal entity - I should be doing good, right.

I have never even thought of verifying my Emacs, ever.  If Emacs,
happened to carry a virus or if the rumour-mills go abuzzing about virus
infiltration or if AV packages go bonkers, I may become extra paranoid.

Also, when I am downloading stuff from a distributor I implicitly trust
shouldn't I be doing good.  Can I not rely on the distributor to do the
due diligence?

Again, I am going to be fired from multiple quarters for posting this.
That's fine.  I am willing to face the cannon and hopefully others will
be informed or warned.

ps: I have nothing against elaborate security measures and VVIP gate
passes.  Question is does my house really need it?
--