From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philip Kaludercic Newsgroups: gmane.emacs.devel Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS Date: Sun, 09 Oct 2022 12:38:42 +0000 Message-ID: <87mta52mul.fsf@posteo.net> References: <164484721900.31751.1453162457552427931@vcs2.savannah.gnu.org> <20220214140020.04438C00891@vcs2.savannah.gnu.org> <87bkqmqpvb.fsf@posteo.net> <871qris3xb.fsf@gnus.org> <86y1tqb0bs.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="19919"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Lars Ingebrigtsen , Stefan Monnier , emacs-devel@gnu.org To: Tim Cross Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Oct 09 14:39:51 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ohVaw-0004xV-Eq for ged-emacs-devel@m.gmane-mx.org; Sun, 09 Oct 2022 14:39:50 +0200 Original-Received: from localhost ([::1]:46726 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ohVav-0006r8-B3 for ged-emacs-devel@m.gmane-mx.org; Sun, 09 Oct 2022 08:39:49 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:33236) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohVZv-00061M-L1 for emacs-devel@gnu.org; Sun, 09 Oct 2022 08:38:47 -0400 Original-Received: from mout01.posteo.de ([185.67.36.65]:53971) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohVZt-00009x-Or for emacs-devel@gnu.org; Sun, 09 Oct 2022 08:38:47 -0400 Original-Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 1E09124002A for ; Sun, 9 Oct 2022 14:38:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1665319124; bh=2dhBLnoGmLzTz8mdq5ky6E0DcOBLzHkvT/Tn9/kAjUY=; h=From:To:Cc:Subject:Autocrypt:Date:From; b=Y/Jg1BDYaYQveofachtemCvp9teQjbVonPPMwJlPikNwox8HV60yWAqBRoStTGFSL oZ/E1UrO9dgoC6wN2f/fTludwAFmsYq29l5BMfLZ8jIbTXznYvHcx2gIYuGL1iH3IR DjjTk6p6/iT06ClB2xTsJ7k9kTxRdQktxzI6vLFwIJTTuGztKU1Fp613DbxY9oVaZY 1S2jJhyeBWtgD78yUCgrVs7uAfh0+BAqq/OoNXyGkw+N58wrnONFQ2QMk3AF6j5W5M TwPl7D/BLIKtFoB3bzIXMxtKDcDOSC2g210x//aMKcB4ReC8/vTrrIsWVvIUEhJCxz E55U0b05hwfkQ== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4MlhRl09xcz9rxL; Sun, 9 Oct 2022 14:38:42 +0200 (CEST) In-Reply-To: <86y1tqb0bs.fsf@gmail.com> (Tim Cross's message of "Sun, 09 Oct 2022 06:02:12 +1100") Autocrypt: addr=philipk@posteo.net; prefer-encrypt=nopreference; keydata= mDMEYHHqUhYJKwYBBAHaRw8BAQdAp3GdmYJ6tm5McweY6dEvIYIiry+Oz9rU4MH6NHWK0Ee0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiQBBMWCAA4FiEEDM2H44ZoPt9Ms0eHtVrAHPRh1FwFAmBx6lICGwMFCwkIBwIGFQoJ CAsCBBYCAwECHgECF4AACgkQtVrAHPRh1FyTkgEAjlbGPxFchvMbxzAES3r8QLuZgCxeAXunM9gh io0ePtUBALVhh9G6wIoZhl0gUCbQpoN/UJHI08Gm1qDob5zDxnIHuDgEYHHqUhIKKwYBBAGXVQEF AQEHQNcRB+MUimTMqoxxMMUERpOR+Q4b1KgncDZkhrO2ql1tAwEIB4h4BBgWCAAgFiEEDM2H44Zo Pt9Ms0eHtVrAHPRh1FwFAmBx6lICGwwACgkQtVrAHPRh1Fw1JwD/Qo7kvtib8jy7puyWrSv0MeTS g8qIxgoRWJE/KKdkCLEA/jb9b9/g8nnX+UcwHf/4VfKsjExlnND3FrBviXUW6NcB Received-SPF: pass client-ip=185.67.36.65; envelope-from=philipk@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:297255 Archived-At: Tim Cross writes: > Lars Ingebrigtsen writes: > >> Philip Kaludercic writes: >> >>> - The ability to install a package directly from source using >>> `package-vc-fetch' (aliased to `package-checkout'). This >>> functionality is ideally VC generic. >>> >>> - The ability to update a package using `package-upgrade'[0] >>> >>> - Package metadata can either be inferred from the package URL (see >>> `package-vc-heusitic-alist') or via explicit hints from an ELPA >>> server. I plan to add the necessary features to GNU and NonGNU ELPA >>> in time so that the heuristics can be avoided. >>> >>> - The ability to (i) contact, (ii) send bug reports and (iii) patches >>> (using the new `vc-patch-prepare') to package maintainers. >> >> Sounds like great functionality, but I wonder whether the security >> implications have been discussed? Today, we use GNU ELPA as a filter of >> sorts and people rely on code there not being compromised. >> >> I assume "hints from an ELPA server" is basically a list of links to git >> repositories? If that's the case, then we may well end up with pointing >> users towards repos that have been compromised. >> >> If we don't have such a list, then adding the basic functionality sounds >> useful anyway -- that is, allowing users to say `M-x >> package-install-from-repo' or something and then they type in the URL of >> that repo -- that's fine, and leaves the security implications to the >> user (where they already are today for people that install from external >> repos). >> >> But if we list these repos in `M-x list-packages', that's a very >> different issue. > > > I think it is very dangerous to suggest there is ANY security here, even > with GNU ELPA packages. > > - There is no formal security review of packages > - There is no review before packages are updated. If a repository is > compromised and that compromise has not been detected, an update can > still occur and introduced compromised code into GNU ELPA. > > Far better to just educate users that ANY package they install could > contain malicious code. Is this feasible? Should this be a (long-)term goal, or will ELPA always be a "use at your own risk" kind of thing? Also, could you clarify what you mean by "formal security review"?