From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philip Kaludercic Newsgroups: gmane.emacs.devel Subject: Re: Where should security issues with GNU ELPA packages be reported? Date: Fri, 29 Mar 2024 05:53:23 +0000 Message-ID: <87plvdeg8c.fsf@posteo.net> References: <87cyreo4np.fsf@ice9.digital> <878r225ohb.fsf@posteo.net> <87wmpmmg7j.fsf@ice9.digital> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="9383"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: Morgan Willcock Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Mar 29 06:54:27 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rq5C7-0002Fn-3G for ged-emacs-devel@m.gmane-mx.org; Fri, 29 Mar 2024 06:54:27 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rq5BJ-0002V3-3T; Fri, 29 Mar 2024 01:53:37 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rq5BH-0002Ul-3x for emacs-devel@gnu.org; Fri, 29 Mar 2024 01:53:35 -0400 Original-Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rq5BC-0003t8-8s for emacs-devel@gnu.org; Fri, 29 Mar 2024 01:53:34 -0400 Original-Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 20FB9240027 for ; Fri, 29 Mar 2024 06:53:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1711691605; bh=x78KQJSYo2G2hhSulvAnuy/2LBgcruJhyW1TTD7n10w=; h=From:To:Cc:Subject:OpenPGP:Date:Message-ID:MIME-Version: Content-Type:From; b=hoMSsCsg3GKG/2AM606wKQdbbDkz7jxJLzDaEMEkKJVv7QyfXsXSxMOC3/iVL+o8C EMhOPSy9fwqZ71piIlhss+VDGeUMY0BbnSH8G5aRg9AMHEyUT7MFw73g5UZc0t6rMb R0BEmIHLZXJIygn6Nth4aF72qBxpQP51KpSduMumlgCn3faD0POV0c6yneD/8u2xIg AeqVCiInI61oOocMoWNFAnQiIYaydhuTp+q356Nltz+gs2WkfckNrlsp31NCHUoMhj AqnfSFo5lGcn23/D0w7uwGSwN4uBKlpEN15QaU02NLpfXR8YaPW8IS9qtvw6UyTUDT 1aeLvPbtxPEyA== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4V5V2D1FPTz9rxD; Fri, 29 Mar 2024 06:53:23 +0100 (CET) In-Reply-To: <87wmpmmg7j.fsf@ice9.digital> (Morgan Willcock's message of "Thu, 28 Mar 2024 17:14:24 +0000") OpenPGP: id=7126E1DE2F0CE35C770BED01F2C3CC513DB89F66; url="https://keys.openpgp.org/vks/v1/by-fingerprint/7126E1DE2F0CE35C770BED01F2C3CC513DB89F66"; preference=signencrypt Received-SPF: pass client-ip=185.67.36.65; envelope-from=philipk@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317372 Archived-At: Morgan Willcock writes: > Philip Kaludercic writes: > >> Morgan Willcock writes: >> >>> I think I have found a security issue with a package which is >>> distributed on GNU ELPA, and I am unsure who to notify. >>> >>> Given that the package is technically part of Emacs, do I follow >>> whatever the procedure would be for disclosing security problems with >>> Emacs? If so, what is that procedure? >>> >>> Or should I e-mail the package author first? >>> >>> Given that it is not the package author who is distributing the package, >>> I am unsure what to do. >> >> It would probably be better to message the maintainer first, if there is >> no explicit maintainer you can check elpa.git to infer who is >> responsible. > > There is an e-mail address for the maintainer, I just wasn't sure > whether going to them first was the correct thing to do. The maintainer of the package can generally push changes to their own repository and can trigger a new package to be built. If they do not respond and it is urgent, anyone with access to elpa.git could push a commit to the mirror (forking from upstream). >> Can you disclose what package you are concerned about? > > I was not planning on naming it until after I had spoken privately to > whoever the appropriate person is. The problem concerns an encryption > failure which potentially exposes private security keys. Ok, understandable. -- Philip Kaludercic on peregrine