From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Morgan Willcock <morgan@ice9.digital>
Newsgroups: gmane.emacs.devel
Subject: Re: Where should security issues with GNU ELPA packages be reported?
Date: Thu, 28 Mar 2024 17:14:24 +0000
Message-ID: <87wmpmmg7j.fsf@ice9.digital>
References: <87cyreo4np.fsf@ice9.digital> <878r225ohb.fsf@posteo.net>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="9959"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: emacs-devel@gnu.org
To: Philip Kaludercic <philipk@posteo.net>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Mar 28 18:15:39 2024
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1rptLm-0002PV-Fb
	for ged-emacs-devel@m.gmane-mx.org; Thu, 28 Mar 2024 18:15:38 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1rptKo-0002Jw-8k; Thu, 28 Mar 2024 13:14:38 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <morgan@ice9.digital>)
 id 1rptKm-0002Jf-6e
 for emacs-devel@gnu.org; Thu, 28 Mar 2024 13:14:36 -0400
Original-Received: from relay3-d.mail.gandi.net ([217.70.183.195])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <morgan@ice9.digital>)
 id 1rptKi-00018Y-FG
 for emacs-devel@gnu.org; Thu, 28 Mar 2024 13:14:35 -0400
Original-Received: by mail.gandi.net (Postfix) with ESMTPSA id DD2FD60009;
 Thu, 28 Mar 2024 17:14:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ice9.digital;
 s=gm1; t=1711646067;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=vmdbfHiHkS21XusZ0jJ/sVI2dkCsMakvP8y7nUoeMPk=;
 b=kRA3OKs0EemfSN53CbdCm2lW1DB9NN6CTTBAJHgViK+qIMX56uMH6fbtzGuLv+AXCvvz0B
 usA4T5ieLZYI6Og6eBqAGvQ3VpcpgabrowPTLfVtxVlmpcc1769E2hc3zAejBdEx5MYc/F
 szcUENV28PC3ZiHfem+GFOu+1kfCDCUjf89UCHwp7gTsxjbBw/ma4WdCHbH+tHmGu0kWS5
 JiA8xW4rE+TjMvLTnQGwIzKo4RBs+58XFxsIXuJDDOtY3OeY7yMXgpPTAIYQH4CEb36AkL
 54qSunPcxhYmTmlic37DX6hp3D1YYjuryoQKIMMrPEO3WJx8D+ICB4Jk1Ms4Og==
In-Reply-To: <878r225ohb.fsf@posteo.net> (Philip Kaludercic's message of "Thu, 
 28 Mar 2024 16:07:44 +0000")
X-GND-Sasl: morgan@ice9.digital
Received-SPF: pass client-ip=217.70.183.195; envelope-from=morgan@ice9.digital;
 helo=relay3-d.mail.gandi.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:317363
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/317363>

Philip Kaludercic <philipk@posteo.net> writes:

> Morgan Willcock <morgan@ice9.digital> writes:
>
>> I think I have found a security issue with a package which is
>> distributed on GNU ELPA, and I am unsure who to notify.
>>
>> Given that the package is technically part of Emacs, do I follow
>> whatever the procedure would be for disclosing security problems with
>> Emacs?  If so, what is that procedure?
>>
>> Or should I e-mail the package author first?
>>
>> Given that it is not the package author who is distributing the package,
>> I am unsure what to do.
>
> It would probably be better to message the maintainer first, if there is
> no explicit maintainer you can check elpa.git to infer who is
> responsible.

There is an e-mail address for the maintainer, I just wasn't sure
whether going to them first was the correct thing to do.

> Can you disclose what package you are concerned about?

I was not planning on naming it until after I had spoken privately to
whoever the appropriate person is.  The problem concerns an encryption
failure which potentially exposes private security keys.

-- 
Morgan Willcock