From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Jambunathan K Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Mon, 07 Jan 2013 11:39:19 +0530 Message-ID: <87pq1h4j8w.fsf@gmail.com> References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87bod1h7d3.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1357538976 22257 80.91.229.3 (7 Jan 2013 06:09:36 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 7 Jan 2013 06:09:36 +0000 (UTC) Cc: emacs-devel@gnu.org To: Paul Nathan Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 07 07:09:53 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Ts5uA-0000Rj-Fi for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 07:09:50 +0100 Original-Received: from localhost ([::1]:47269 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts5tu-0003yi-JC for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 01:09:34 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:54649) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts5tr-0003yd-UW for emacs-devel@gnu.org; Mon, 07 Jan 2013 01:09:33 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ts5tq-0002ct-Pk for emacs-devel@gnu.org; Mon, 07 Jan 2013 01:09:31 -0500 Original-Received: from mail-pa0-f46.google.com ([209.85.220.46]:38577) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts5tq-0002cp-JG for emacs-devel@gnu.org; Mon, 07 Jan 2013 01:09:30 -0500 Original-Received: by mail-pa0-f46.google.com with SMTP id bh2so10432736pad.5 for ; Sun, 06 Jan 2013 22:09:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=LFlima3AnU6/+BjV3nyA8QnuVX8x6wyX/FacpYDzFZo=; b=DbYIpYWhYsmNX+iGZREolXc20swY3HhYHzRjJaD3qqh+fED4QOe0usGx30N9r03yJo 6JRfolgVsbsteIqmIb7ylKPtRr04Tz1CEAGQIMPJvMSzgbnBoMm8ouUwY39+g7m6cWy6 bXXxmwoW0DFsFaNnp6hufjCQfgofTj2CHeUHVaHcchO7Oic2l5Qf9Q2TehkTnnB5jNOt zojuWbUdpdHdh8crOgtyAJBkf8guLQRvazvyWXVAsa4vvXGH8rFvNN6r9fAXaX7vlXeN STbj9AjNg+Kk80nqr41LRgisL4xiDOko+dJWEQf70B9Ia6l1JS+YCRuaYuGjC/D37j5P j/bQ== X-Received: by 10.66.80.202 with SMTP id t10mr174959473pax.81.1357538968812; Sun, 06 Jan 2013 22:09:28 -0800 (PST) Original-Received: from debian-6.05 ([101.63.135.210]) by mx.google.com with ESMTPS id o1sm38118285paw.0.2013.01.06.22.09.25 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 06 Jan 2013 22:09:28 -0800 (PST) In-Reply-To: (Paul Nathan's message of "Sun, 6 Jan 2013 21:53:30 -0800") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 209.85.220.46 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156107 Archived-At: Paul Nathan writes: >> If I am downloading a package from a trustworthy site - "certified" > by a >> legal entity - I should be doing good, right. > > Jambunathan, > > The existing problem statement is that while we (presumably) trust the > GNU Emacs code, we do not per se trust the other packages in > existence. How do we know those packages are what the original authors > created? It is not the best idea from a security standpoint to > download arbitrary code from the emacs wiki and execute it! Thanks for not getting offended and ELI5. I don't mean to hijack this thread. Frankly speaking, I don't rely on Tromey, Marmalade, Emacswiki or MELPA. I may consult them but I don't rely on them. The main problem is not that of security per se. The main problem is reliability. The packages will break, the author wouldn't care about responding to questions or fixing things, the functionality itself could be broken in unknown ways etc. > The ELPA infrastructure now allows pulling extensions from multiple > non-GNU repositories. I certainly hope no one hacks them! If someone > does, then a certification mechanism would assist the user in telling > them that something's gone very wrong. So a signing mechanism allows > the distributor to certify his/her code as being written by his/ger, > and you to verify that the distributor certified their code. Whether > the code itself is any good is a different question, of course - a > malicious distributor that everyone trusts is a big problem! I am thinking how many of the existing ELPA repositories will go to the extent of getting a signature from a legal entity. Mostly they are "wannabe-s" or individual efforts. May be the idea is too ahead for it's time. I wonder whether another "serious" distributor like GNU ELPA sprouts forth. Is XEmacs a contender here, I don't know. Stephen T can enlighten us. > Kind regards, > Paul > > --