From: Ihor Radchenko <yantar92@posteo.net>
To: Stefan Kangas <stefankangas@gmail.com>
Cc: Husain Alshehhi <husain@alshehhi.io>, emacs-devel@gnu.org
Subject: Re: Security in the emacs package ecosystem
Date: Fri, 17 Feb 2023 10:21:37 +0000 [thread overview]
Message-ID: <87wn4gd232.fsf@localhost> (raw)
In-Reply-To: <CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com>
Stefan Kangas <stefankangas@gmail.com> writes:
> I think we should add some flag to the build system saying that a
> package should only be released if the new tag has a valid signature.
> This would have to be optional for now. (It is of course already best
> practice to always sign your tags regardless.)
This is a good measure and will certainly improve security.
Another consideration is that package recipes can be directly edited by
anyone. If an account of a person with write access to, for example,
ELPA is compromised, ELPA recipes can be arbitrarily manipulated for all
ELPA packages. This includes re-targeting the source repo or simply
disabling the signature verification.
I am raising this because a breach of a package repo means a significant
probability of leaked ssh keys. The same ssh keys can be used to access
ELPA then.
> GNU ELPA and NonGNU ELPA does sign packages, see for example:
>
> https://elpa.gnu.org/packages/company-0.9.13.tar
> https://elpa.gnu.org/packages/company-0.9.13.tar.sig
>
> For some reason, the signature file is not linked from the web
> interface. I think we should add such a link.
I opened a bug report to create an actionable item on this.
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=61569
> If I'm not mistaken, MELPA unfortunately does not sign packages.
Looking at 43.4 Creating and Maintaining Package Archives, signing is
actually recommended. WRT MELPA we can do the following:
1. Open an issue
2. Allow users to demand package.el to verify signatures when
downloading packages. Interested users can then increase their
security by rejecting packages without .sig file.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
next prev parent reply other threads:[~2023-02-17 10:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-15 20:53 Security in the emacs package ecosystem Husain Alshehhi
2023-02-04 13:12 ` Ihor Radchenko
2023-02-04 16:59 ` Stefan Kangas
2023-02-17 10:21 ` Ihor Radchenko [this message]
2023-02-17 10:23 ` Ihor Radchenko
2023-02-17 15:54 ` Stefan Kangas
2023-02-18 10:57 ` Ihor Radchenko
2023-02-18 11:49 ` Eli Zaretskii
2023-02-20 5:18 ` Richard Stallman
2023-02-20 6:23 ` Po Lu
2023-02-20 17:38 ` chad
2023-03-11 19:45 ` Thomas Koch
2023-03-14 4:00 ` Richard Stallman
2023-02-18 11:54 ` Making `package-check-signature' more restrictive by default Stefan Kangas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wn4gd232.fsf@localhost \
--to=yantar92@posteo.net \
--cc=emacs-devel@gnu.org \
--cc=husain@alshehhi.io \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).