From: Philip Kaludercic <philipk@posteo.net>
To: Morgan Willcock <morgan@ice9.digital>
Cc: emacs-devel@gnu.org
Subject: Re: Where should security issues with GNU ELPA packages be reported?
Date: Fri, 29 Mar 2024 05:53:23 +0000 [thread overview]
Message-ID: <87plvdeg8c.fsf@posteo.net> (raw)
In-Reply-To: <87wmpmmg7j.fsf@ice9.digital> (Morgan Willcock's message of "Thu, 28 Mar 2024 17:14:24 +0000")
Morgan Willcock <morgan@ice9.digital> writes:
> Philip Kaludercic <philipk@posteo.net> writes:
>
>> Morgan Willcock <morgan@ice9.digital> writes:
>>
>>> I think I have found a security issue with a package which is
>>> distributed on GNU ELPA, and I am unsure who to notify.
>>>
>>> Given that the package is technically part of Emacs, do I follow
>>> whatever the procedure would be for disclosing security problems with
>>> Emacs? If so, what is that procedure?
>>>
>>> Or should I e-mail the package author first?
>>>
>>> Given that it is not the package author who is distributing the package,
>>> I am unsure what to do.
>>
>> It would probably be better to message the maintainer first, if there is
>> no explicit maintainer you can check elpa.git to infer who is
>> responsible.
>
> There is an e-mail address for the maintainer, I just wasn't sure
> whether going to them first was the correct thing to do.
The maintainer of the package can generally push changes to their own
repository and can trigger a new package to be built. If they do not
respond and it is urgent, anyone with access to elpa.git could push a
commit to the mirror (forking from upstream).
>> Can you disclose what package you are concerned about?
>
> I was not planning on naming it until after I had spoken privately to
> whoever the appropriate person is. The problem concerns an encryption
> failure which potentially exposes private security keys.
Ok, understandable.
--
Philip Kaludercic on peregrine
next prev parent reply other threads:[~2024-03-29 5:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-28 13:40 Where should security issues with GNU ELPA packages be reported? Morgan Willcock
2024-03-28 14:53 ` Emanuel Berg
2024-03-28 16:07 ` Philip Kaludercic
2024-03-28 17:14 ` Morgan Willcock
2024-03-29 5:53 ` Philip Kaludercic [this message]
2024-03-31 23:46 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87plvdeg8c.fsf@posteo.net \
--to=philipk@posteo.net \
--cc=emacs-devel@gnu.org \
--cc=morgan@ice9.digital \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).