From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Matt Armstrong Newsgroups: gmane.emacs.devel Subject: Re: Fwd: Should package.el support notifying on package security updates? Date: Thu, 11 Aug 2022 17:04:09 -0700 Message-ID: <87y1vus4xy.fsf@rfc20.org> References: <87r12qm4q5.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="2751"; mail-complaints-to="usenet@ciao.gmane.io" To: Gulshan Singh , emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Aug 12 02:05:58 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oMIBZ-0000ZD-Fx for ged-emacs-devel@m.gmane-mx.org; Fri, 12 Aug 2022 02:05:57 +0200 Original-Received: from localhost ([::1]:44532 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oMIBX-0007P5-Ui for ged-emacs-devel@m.gmane-mx.org; Thu, 11 Aug 2022 20:05:55 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:46554) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMIA2-0006cA-1y for emacs-devel@gnu.org; Thu, 11 Aug 2022 20:04:27 -0400 Original-Received: from relay12.mail.gandi.net ([2001:4b98:dc4:8::232]:44835) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMI9z-00007X-4f for emacs-devel@gnu.org; Thu, 11 Aug 2022 20:04:21 -0400 Original-Received: (Authenticated sender: matt@rfc20.org) by mail.gandi.net (Postfix) with ESMTPSA id 4A4F1200006; Fri, 12 Aug 2022 00:04:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rfc20.org; s=gm1; t=1660262652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZrrljB9CFyHWa5GG6myoJxlQb/u7sV1z+AgCFpysBlU=; b=GYK8FMkyNNV7TjzGVHk4ioJDx7z2TuTcMv3EOTa4uLrYHXj9IBHDejnHbfGD5MsMAvtA37 oGZxtQSKHV0/8WvBsXQOf/nbkKigNIBYAawTPSsYZvG94uJwBL9RViZGq+E5Z/iLofilE+ sxmTOjkm4LFcyy/QQuOGE8Z26b6BxZElSL187fbLMV7dEVVksA6Sz/en/2xwZmgjtcLgGW Pi74ZhgQaOkuF4X/dLOQayhGcQeEqH2cH81ABdaGLFlUbablzXwPlAoTaNrVZrTJxXiUW+ MGvN+M76WzvZlb1Xcx7ILoz45e6Jpx964q3TyLcPDQPEERaBSnkImnzpwApKUQ== Original-Received: from matt by naz with local (Exim 4.96) (envelope-from ) id 1oMI9p-0003jD-2L; Thu, 11 Aug 2022 17:04:09 -0700 In-Reply-To: Received-SPF: pass client-ip=2001:4b98:dc4:8::232; envelope-from=matt@rfc20.org; helo=relay12.mail.gandi.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:293380 Archived-At: Gulshan Singh writes: > I recently reported a security issue for a package on MELPA, where > even though I trusted the package author, if I used the package to > process untrusted data that data code be crafted in a way to execute > arbitrary code on my system. This led me to wonder if there was any > mechanism for package.el to distinguish between regular updates and > security updates, and I wasn't able to find any information on this. > > Has there been any past discussion on this? As an example, on Ubuntu you > can see how many of the pending updates are security updates as opposed > to regular updates, and you can configure the system to auto-update just > the security updates. I feel like the package manager in emacs should > have something similar, but maybe I'm missing something about why this > functionality isn't included. I am not an authority on Emacs packages, but as far as I am aware, there is no mechanism in place to track security vulnerabilities in Emacs packages or any way to urgently present available fixes to users (e.g. by suggesting a partiular package upgrade is urgent). One substantive discussion I found on package security issues in general occurred on emacs-devel 9 years ago: Subject: security of the emacs package system, elpa, melpa and marmalade Date: Mon, 23 Sep 2013 09:30:35 +0200 https://lists.gnu.org/archive/html/emacs-devel/2013-09/threads.html Shortly after that discussion it looks like package.el was changed to verify package signatures (at least optionally, based on the availability of a gpg installation, which went through refinement over a period of years).