From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Ihor Radchenko <yantar92@posteo.net>
Newsgroups: gmane.emacs.devel
Subject: Re: Security in the emacs package ecosystem
Date: Fri, 17 Feb 2023 10:21:37 +0000
Message-ID: <87wn4gd232.fsf@localhost>
References: <8735hatt4m.fsf@alshehhi.io> <87fsblfuc6.fsf@localhost>
 <CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="16965"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: Husain Alshehhi <husain@alshehhi.io>, emacs-devel@gnu.org
To: Stefan Kangas <stefankangas@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Feb 17 11:21:53 2023
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1pSxsH-0004Fk-Lm
	for ged-emacs-devel@m.gmane-mx.org; Fri, 17 Feb 2023 11:21:53 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1pSxra-0002ap-SE; Fri, 17 Feb 2023 05:21:10 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@posteo.net>)
 id 1pSxrZ-0002af-Hh
 for emacs-devel@gnu.org; Fri, 17 Feb 2023 05:21:09 -0500
Original-Received: from mout02.posteo.de ([185.67.36.66])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@posteo.net>)
 id 1pSxrV-0007lC-Dr
 for emacs-devel@gnu.org; Fri, 17 Feb 2023 05:21:09 -0500
Original-Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id C4048240475
 for <emacs-devel@gnu.org>; Fri, 17 Feb 2023 11:21:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1676629262; bh=vt1W07bXjZ+H+gOLLZX1rm1F46kL9ouKmAUDSkaHRyo=;
 h=From:To:Cc:Subject:Date:From;
 b=kMZKz3JnhS5VGGt+W+Tn7Q0FDV8w1Mv1GuuTi03iwCPQDpJRBOYY6/EF9rxnzq4vt
 jGLQjQF9fZZtDUIZjuM2Kyhjl6veNW39NNna1+yBg8iICJz4WZ57CwFwFUfVhPCNMj
 cK8XYOukCEd7PZETTUbNlT5vquwXhDzgIOwv2B7+r3LEvs+uAGGSdLf72TEU2NglYw
 8h1h4BIwBQcmWLrGyhFt6oiXre+W3voA4w5LoRU7CY7x1EuYb/E6PG+ypDg2E1Hhi5
 /Ycgh7V69BO37S2E2SAnVaqXHHlGmdPvdHGEil/eJ0UvFHQyVLr3D/hIfnN3YwgfJ+
 f7NQvwL1NMqWA==
Original-Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4PJ7BM0cW7z6trH;
 Fri, 17 Feb 2023 11:20:58 +0100 (CET)
In-Reply-To: <CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com>
Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net;
 helo=mout02.posteo.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:303462
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/303462>

Stefan Kangas <stefankangas@gmail.com> writes:

> I think we should add some flag to the build system saying that a
> package should only be released if the new tag has a valid signature.
> This would have to be optional for now.  (It is of course already best
> practice to always sign your tags regardless.)

This is a good measure and will certainly improve security.

Another consideration is that package recipes can be directly edited by
anyone. If an account of a person with write access to, for example,
ELPA is compromised, ELPA recipes can be arbitrarily manipulated for all
ELPA packages. This includes re-targeting the source repo or simply
disabling the signature verification.

I am raising this because a breach of a package repo means a significant
probability of leaked ssh keys. The same ssh keys can be used to access
ELPA then.

> GNU ELPA and NonGNU ELPA does sign packages, see for example:
>
>     https://elpa.gnu.org/packages/company-0.9.13.tar
>     https://elpa.gnu.org/packages/company-0.9.13.tar.sig
>
> For some reason, the signature file is not linked from the web
> interface.  I think we should add such a link.

I opened a bug report to create an actionable item on this.
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=61569

> If I'm not mistaken, MELPA unfortunately does not sign packages.

Looking at 43.4 Creating and Maintaining Package Archives, signing is
actually recommended. WRT MELPA we can do the following:
1. Open an issue
2. Allow users to demand package.el to verify signatures when
   downloading packages. Interested users can then increase their
   security by rejecting packages without .sig file.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>