From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: package.el + DVCS for security and convenience
Date: Tue, 08 Jan 2013 10:15:12 -0500 [thread overview]
Message-ID: <87sj6bg0zj.fsf@lifelogs.com> (raw)
In-Reply-To: 87y5g4a1ob.fsf@uwakimon.sk.tsukuba.ac.jp
On Tue, 08 Jan 2013 10:44:36 +0900 "Stephen J. Turnbull" <stephen@xemacs.org> wrote:
>> On Mon, 07 Jan 2013 11:03:07 +0900 "Stephen J. Turnbull" <stephen@xemacs.org> wrote:
SJT> Ted Zlatanov writes:
>> The alternative is to say "trust this code, though we don't know
>> what it is."
SJT> Your use of the unique quantifier is once again inappropriate. "We"
SJT> does not have to be an undifferentiated blob; it can be
SJT> personalized.
To an Emacs user, the GNU ELPA is a package archive, not a personality
bazaar. Our view on emacs-devel is very different and colors our
thinking. So "we" reflects us, the Emacs developers, of which the GNU
ELPA maintainers are a subset.
SJT> You could, for example, have each volunteer provide a separate
SJT> signature as they review the code. More reviews, more trust -- maybe,
SJT> unless more reviews means each one is less thorough. Identification
SJT> of the reviewer means trust can be a function of the reviewer.
SJT> Authors don't make the best reviewers, but they do know the code, and
SJT> an author signature is a certificate of authenticity.
I explained that authors are much easier to compromise than maintainers.
Stefan has confirmed (I believe) the GNU ELPA maintainers will use a
single "GNU ELPA" key to sign package releases. He has also stated
we'll use signatures to indicate provenance, not security reviews.
Since I won't argue that point further, I've snipped your thoughtful
replies on the topic of security reviews, except where I could clearly
win the argument ;)
SJT> If you actually do reasonably thorough reviews, though, you will
SJT> end up with a large backlog of pending commits unless you have a
SJT> lot of volunteers.
I was planning to outsource it to some Russians. They are very
thorough, I know the gang leader, er, I mean the project manager,
personally.
SJT> (Authors will have to rework features rejected for security of
SJT> implementation reasons, and it would be quite painful to have a
SJT> whole feature rejected for security reasons).
The authors are free not to host their packages in the GNU ELPA, if they
don't want to worry about security concerns. Even without security
reviews, I think that should be the case, and the GNU ELPA maintainers
should be free to reject packages on that basis.
SJT> Nor do I see why reviewing Emacs Lisp code is *much* easier.
IMHO suspicious and malicious code is more easily visible in Emacs Lisp.
SJT> AFAIK you're not currently a GNU ELPA maintainer?
I have the access.
SJT> 0. Emacs should do something about this, and soon.
SJT> 1. Mission creep should be avoided.
SJT> 2. The first mission, cheap to implement, is to authenticate the
SJT> packages that are at GNU ELPA.
I agree.
SJT> 3. The authentication should be done via a list of authorized
SJT> signatures, not a single "GNU ELPA Maintainer" (GEM) signature.
SJT> 4. Package maintainers (PMs) should be considered leading candidates
SJT> for signing their own packages as pushed to GNU ELPA. PMs should
SJT> use a specific key exclusively for signing GNU ELPA packages for
SJT> authentication purposes.
I think, at least for now, Stefan has decided to use a single signature.
SJT> 5. The next mission is to develop security criteria for reviews.
SJT> This will be an ongoing process, with basics ("don't load random
SJT> libraries from the default directory") coming first, and more
SJT> extensive reviews ("how could this hook be abused?") postponed
SJT> until later.
SJT> 6. Code that has been security reviewed would get a separate "SR"
SJT> signature (ie, personal to the reviewer and a different key from
SJT> either the GEM key(s) or the PM keys).
I think that's a good plan, and can coexist with the more urgent need
to sign the package to indicate provenance.
I propose security signatures also live in `archive-contents', as Yet
Another Vector Element, in an alist (reviewer . signature) format.
Ted
next prev parent reply other threads:[~2013-01-08 15:15 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-09 14:41 ELPA security George Kadianakis
2012-12-09 21:00 ` Nic Ferrier
2012-12-21 14:32 ` Ted Zlatanov
2012-12-21 22:12 ` Xue Fuqiao
2012-12-22 5:07 ` Bastien
2012-12-22 6:17 ` Xue Fuqiao
2012-12-22 12:34 ` Stephen J. Turnbull
2012-12-22 13:03 ` Bastien
2012-12-22 13:24 ` Bastien
2012-12-22 19:37 ` package.el + DVCS for security and convenience (was: ELPA security) Ted Zlatanov
2012-12-24 12:53 ` package.el + DVCS for security and convenience Nic Ferrier
2012-12-24 12:55 ` Bastien
2012-12-24 13:38 ` Ted Zlatanov
2012-12-24 13:39 ` Xue Fuqiao
2012-12-24 16:17 ` Stefan Monnier
2012-12-24 17:46 ` Ted Zlatanov
2012-12-25 1:03 ` Stephen J. Turnbull
2012-12-26 14:22 ` Ted Zlatanov
2012-12-27 3:06 ` Stephen J. Turnbull
2012-12-27 8:56 ` Xue Fuqiao
2012-12-31 11:18 ` Ted Zlatanov
2012-12-31 12:32 ` Stephen J. Turnbull
2012-12-31 13:50 ` Ted Zlatanov
2012-12-31 16:47 ` Stephen J. Turnbull
2012-12-31 21:41 ` Ted Zlatanov
2012-12-29 6:19 ` Stefan Monnier
2012-12-31 11:22 ` Ted Zlatanov
2013-01-03 16:41 ` Stefan Monnier
2013-01-04 16:05 ` Ted Zlatanov
2013-01-04 18:11 ` Stefan Monnier
2013-01-04 19:06 ` Ted Zlatanov
2013-01-05 3:25 ` Stephen J. Turnbull
2013-01-06 19:20 ` Ted Zlatanov
2013-01-07 2:03 ` Stephen J. Turnbull
2013-01-07 14:47 ` Ted Zlatanov
2013-01-08 1:44 ` Stephen J. Turnbull
2013-01-08 15:15 ` Ted Zlatanov [this message]
2013-01-08 17:53 ` Stephen J. Turnbull
2013-01-08 18:46 ` Ted Zlatanov
2013-01-08 21:20 ` Stefan Monnier
2013-01-09 2:37 ` Stephen J. Turnbull
2013-01-08 2:20 ` Stephen J. Turnbull
2013-01-08 14:05 ` Xue Fuqiao
2013-01-04 22:21 ` Xue Fuqiao
2012-12-31 20:06 ` Re:package.el + DVCS for security and convenience (was: ELPA security) Phil Hagelberg
2012-12-31 22:50 ` package.el + DVCS for security and convenience Ted Zlatanov
2012-12-22 16:20 ` ELPA security Stefan Monnier
2012-12-26 17:32 ` Paul Nathan
2012-12-31 11:50 ` Ted Zlatanov
2012-12-31 12:34 ` Stephen J. Turnbull
2012-12-31 13:39 ` Package signing infrastructure suggestion (was Re: ELPA security) Nic Ferrier
2012-12-31 22:32 ` Ted Zlatanov
2012-12-31 23:01 ` Xue Fuqiao
2012-12-31 19:48 ` ELPA security Tom Tromey
2012-12-31 19:57 ` Drew Adams
2012-12-31 22:19 ` Ted Zlatanov
2012-12-31 22:15 ` Ted Zlatanov
2013-01-05 16:46 ` Achim Gratz
2013-01-06 19:12 ` Ted Zlatanov
2013-01-07 5:32 ` Paul Nathan
2013-01-07 5:47 ` Jambunathan K
2013-01-07 5:53 ` Paul Nathan
2013-01-07 6:09 ` Jambunathan K
2013-01-07 6:20 ` Paul Nathan
2013-01-07 7:12 ` Stephen J. Turnbull
2013-01-07 7:18 ` chad
2013-01-07 14:34 ` Ted Zlatanov
2013-01-07 6:57 ` Stephen J. Turnbull
2013-01-07 14:35 ` Ted Zlatanov
2013-01-07 15:01 ` Ted Zlatanov
2013-01-08 3:07 ` Stefan Monnier
2013-01-08 14:47 ` Ted Zlatanov
2013-01-08 16:57 ` Stefan Monnier
2013-01-08 17:30 ` Ted Zlatanov
2013-01-08 20:50 ` Stefan Monnier
2013-01-08 21:30 ` Ted Zlatanov
2013-01-08 22:46 ` Stefan Monnier
2013-01-08 23:30 ` Ted Zlatanov
2013-03-12 18:29 ` Ted Zlatanov
2013-01-08 17:00 ` Stefan Monnier
2013-01-08 17:59 ` Achim Gratz
2013-01-08 18:37 ` Ted Zlatanov
2013-01-08 20:59 ` Stefan Monnier
2013-06-16 11:18 ` Ted Zlatanov
2013-06-16 23:12 ` Stefan Monnier
2013-06-17 1:56 ` Stephen J. Turnbull
2013-06-17 7:23 ` Ted Zlatanov
2013-06-17 15:54 ` Stephen J. Turnbull
2013-06-28 15:34 ` Ted Zlatanov
2013-06-17 14:34 ` Stefan Monnier
2013-06-17 7:20 ` Ted Zlatanov
2013-06-19 5:02 ` Ted Zlatanov
2013-06-19 12:38 ` Stefan Monnier
2013-06-23 11:58 ` Ted Zlatanov
2013-06-23 16:41 ` Stefan Monnier
2013-06-28 15:47 ` Ted Zlatanov
2013-06-28 16:28 ` Nic Ferrier
2013-06-28 22:49 ` Stefan Monnier
2013-06-24 3:44 ` Daiki Ueno
2013-06-28 15:32 ` Ted Zlatanov
2013-06-28 16:15 ` Daiki Ueno
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sj6bg0zj.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).