From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: security of the emacs package system, elpa, melpa and marmalade Date: Sun, 29 Sep 2013 06:12:19 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87txh4ym0s.fsf@flea.lifelogs.com> References: <523FEE1B.9020408@binary-island.eu> <52429ABD.6090603@binary-island.eu> <52432BE9.1070402@binary-island.eu> <87d2nw1j3b.fsf@uwakimon.sk.tsukuba.ac.jp> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1380449561 23124 80.91.229.3 (29 Sep 2013 10:12:41 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 29 Sep 2013 10:12:41 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Sep 29 12:12:44 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VQDzU-0001qB-VQ for ged-emacs-devel@m.gmane.org; Sun, 29 Sep 2013 12:12:41 +0200 Original-Received: from localhost ([::1]:44100 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQDzU-0004xm-Gr for ged-emacs-devel@m.gmane.org; Sun, 29 Sep 2013 06:12:40 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48653) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQDzM-0004xT-4b for emacs-devel@gnu.org; Sun, 29 Sep 2013 06:12:37 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VQDzG-0003mv-9K for emacs-devel@gnu.org; Sun, 29 Sep 2013 06:12:32 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:37585) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQDzG-0003mq-2W for emacs-devel@gnu.org; Sun, 29 Sep 2013 06:12:26 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VQDzF-0001aZ-Fp for emacs-devel@gnu.org; Sun, 29 Sep 2013 12:12:25 +0200 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 29 Sep 2013 12:12:25 +0200 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 29 Sep 2013 12:12:25 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 62 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:PmjWTe0qfjxYiFpUdgMsrj6jMG4= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163712 Archived-At: On Thu, 26 Sep 2013 12:25:32 -0400 Richard Stallman wrote: RS> The basic question is, what sorts of things do we want security against? RS> So far, we have put effort into security against RS> * Attacks through files you might examine. RS> * Surreptitious substitution of the wrong code RS> instead of what you think you are downloading. RS> If the existence of package repositories introduces new ways to do RS> those things, we should do what is needed to make them safe. We need to question whether relying on GPG is the right thing here, or if we need an Emacs Lisp-based or C-based solution to authenticate content signatures. I am leaning towards the latter after years of experience with GPG and epg.el (without questioning the quality of epg.el, which is very good). At the very least, spawning an external process to verify a signature for every package download seems wasteful. In addition, I think we need reviews of package updates before they are rolled out on the GNU ELPA. It's a lot of work. RS> Does anyone think we should start worrying about some other attack? "Just because you're paranoid doesn't mean they're not after you." Here is a quick list of other attacks. I am not posing conspiracy theories; the below are all based on real-life compromises I have seen in other software or in GNU Emacs. (note that the GNU ELPA can be used by many versions of Emacs, some with bugs that are fixed later but could be exploitable at that version) - injection of binary blobs, even if well-intended - injection of external resources, e.g. a URL which suddenly starts generating an image that can exploit a libgif bug to compromise a system (note that this can be easily targeted to a single IP) - DDoS of a target website or service by using their resources (this could be intentional or accidental) - injection of code that is not GPLed or is otherwise legally questionable - targeted attacks, e.g. compromises that work on only one user's machine but behave well otherwise - exploits of the Emacs Lisp parser, e.g. imagine a bug in the hashtable reader or a specially-formatted comment that breaks the symbol table (I'm not aware of such bugs, this is just an example) - exploits of file-local variables - advice-based attacks (package X advises function F in a non-obvious way to compromise security) I hope this is useful. Ted