From: Matt Armstrong <matt@rfc20.org>
To: Gulshan Singh <gsingh2011@gmail.com>, emacs-devel@gnu.org
Subject: Re: Fwd: Should package.el support notifying on package security updates?
Date: Thu, 11 Aug 2022 17:04:09 -0700 [thread overview]
Message-ID: <87y1vus4xy.fsf@rfc20.org> (raw)
In-Reply-To: <CANEZYrdmk-7XD=RR_8s6fVV5+7aYC8g1yVEFTOUnYzW5rkz24w@mail.gmail.com>
Gulshan Singh <gsingh2011@gmail.com> writes:
> I recently reported a security issue for a package on MELPA, where
> even though I trusted the package author, if I used the package to
> process untrusted data that data code be crafted in a way to execute
> arbitrary code on my system. This led me to wonder if there was any
> mechanism for package.el to distinguish between regular updates and
> security updates, and I wasn't able to find any information on this.
>
> Has there been any past discussion on this? As an example, on Ubuntu you
> can see how many of the pending updates are security updates as opposed
> to regular updates, and you can configure the system to auto-update just
> the security updates. I feel like the package manager in emacs should
> have something similar, but maybe I'm missing something about why this
> functionality isn't included.
I am not an authority on Emacs packages, but as far as I am aware, there
is no mechanism in place to track security vulnerabilities in Emacs
packages or any way to urgently present available fixes to users
(e.g. by suggesting a partiular package upgrade is urgent).
One substantive discussion I found on package security issues in general
occurred on emacs-devel 9 years ago:
Subject: security of the emacs package system, elpa, melpa and marmalade
Date: Mon, 23 Sep 2013 09:30:35 +0200
https://lists.gnu.org/archive/html/emacs-devel/2013-09/threads.html
Shortly after that discussion it looks like package.el was changed to
verify package signatures (at least optionally, based on the
availability of a gpg installation, which went through refinement over a
period of years).
next prev parent reply other threads:[~2022-08-12 0:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87r12qm4q5.fsf@gmail.com>
2022-08-08 1:46 ` Fwd: Should package.el support notifying on package security updates? Gulshan Singh
2022-08-12 0:04 ` Matt Armstrong [this message]
2022-08-12 0:29 ` Tim Cross
2022-08-12 13:18 ` Stefan Kangas
2022-08-13 0:44 ` Tim Cross
2022-08-12 21:40 ` Stefan Monnier
2022-08-13 0:58 ` Tim Cross
2022-08-13 4:58 ` tomas
2022-08-13 14:00 ` Stefan Monnier
2022-08-14 3:23 ` Richard Stallman
2022-08-14 3:29 ` Gulshan Singh
2022-08-16 2:52 ` Richard Stallman
2022-08-25 3:32 ` Richard Stallman
2022-08-25 4:33 ` Tim Cross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y1vus4xy.fsf@rfc20.org \
--to=matt@rfc20.org \
--cc=emacs-devel@gnu.org \
--cc=gsingh2011@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).