From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.devel Subject: Re: Security in the emacs package ecosystem Date: Sat, 4 Feb 2023 08:59:54 -0800 Message-ID: References: <8735hatt4m.fsf@alshehhi.io> <87fsblfuc6.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="29511"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: Ihor Radchenko , Husain Alshehhi Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Feb 04 18:00:39 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pOLu2-0007Wn-6j for ged-emacs-devel@m.gmane-mx.org; Sat, 04 Feb 2023 18:00:38 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pOLtf-00022C-9G; Sat, 04 Feb 2023 12:00:16 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pOLtP-0001w8-Ro for emacs-devel@gnu.org; Sat, 04 Feb 2023 12:00:00 -0500 Original-Received: from mail-oi1-x233.google.com ([2607:f8b0:4864:20::233]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pOLtO-0006oo-2S for emacs-devel@gnu.org; Sat, 04 Feb 2023 11:59:59 -0500 Original-Received: by mail-oi1-x233.google.com with SMTP id bx13so6652776oib.13 for ; Sat, 04 Feb 2023 08:59:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=ejH9rhFMguKrxPZgAy/Atyh0MyJNwGsgnfr9xYomqOI=; b=HBpXup/XqzbiPzmmeX/Ci8LkDKM4lapSNmP6NHKHQiul8z6eO2DdMpwEh6FRw52i3n ocooSg4LV43AdvIh4tcgh6qOE3LCRBSFzGtqRkCZ9iSZHJazZdlqLEqkD+GEF26tKFfI 3wihfmeU/RUsIdw+ZSTxshIYTrnWkGvbSBkQxvwbxIPvFuBrBXuZhPZ+rpTs8ri2yqtF X8VowKjLUNMFLXl1d4t4UW18kFATPNGxSK5K7mgUHtwQt8VcdcVq7rfxB9cGfkAje2U/ vvb1GTgEp69FLiJxUYHg3AShYo/3S78VXSz/fMUD4787V0NapY33ehpxTI/MHbrA4TPV eQuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ejH9rhFMguKrxPZgAy/Atyh0MyJNwGsgnfr9xYomqOI=; b=6CH2fu3o9UuY5T1LHB00ozKYgHU9qd7tBWiaw4j47O6CaNLN94Rps2UHAeAc1NNyXo 4Aj2HB1ICxMijirKsrCkBK/vrc8s4Je7BwpqfftL/uUBFuY9lv9mn65nn/RhdPiqWyQY utXTFxH7YPOIn89h6OZq6D0NJYyVOEg01bPtPw1flSF7LF27Tjx+fWhsNds8Moqb6eW2 WQaPwHma6TE35loA1J3ps+kCTZk/2LEloTQdxuwZRlxuwt4hp8H16OQ14tooXYOIInJH CO5ikDHfp5BiwmEQ/VwPclGZVrbGiXReKym6zhzJtzrep8ITSPOiKWW7JdLvID4azOHM Ap6g== X-Gm-Message-State: AO0yUKVSk+UfU6T28Hqd2N/VqcuaI4SVoQAkRmSi8G0j/5s2v/meEBj2 vq2wJQ/AGMKUwDYkqmQ21WwAcZwrzrWXbpNu82A= X-Google-Smtp-Source: AK7set/xNp46WpcmVTHvg70V5vtg69HsQn1FUr71poycZqg5uim4qg8ANeiYhkJdgD6JpMtACbMOrS7ZZgBSO3bhBfk= X-Received: by 2002:aca:2304:0:b0:360:ceaa:7e4e with SMTP id e4-20020aca2304000000b00360ceaa7e4emr539006oie.199.1675529994972; Sat, 04 Feb 2023 08:59:54 -0800 (PST) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sat, 4 Feb 2023 08:59:54 -0800 In-Reply-To: <87fsblfuc6.fsf@localhost> X-Hashcash: 1:20:230204:husain@alshehhi.io::3bAdcoE2H2/gdzGd:8ASX Received-SPF: pass client-ip=2607:f8b0:4864:20::233; envelope-from=stefankangas@gmail.com; helo=mail-oi1-x233.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:302966 Archived-At: Ihor Radchenko writes: > To followup, how are the plans (stated in the referenced discussion) > about signing ELPA packages? > > AFAIK, ELPA currently re-builds package tarballs every time a new tag > appears in the source repo. No signature checks, nothing to prevent > potential breach in the source repo. I think we should add some flag to the build system saying that a package should only be released if the new tag has a valid signature. This would have to be optional for now. (It is of course already best practice to always sign your tags regardless.) IMO, opening a feature request for this in the bug tracker would be useful. A patch would be even better. > And ELPA tarballs themselves are not signed. Same for non-GNU ELPA, > AFAIK. GNU ELPA and NonGNU ELPA does sign packages, see for example: https://elpa.gnu.org/packages/company-0.9.13.tar https://elpa.gnu.org/packages/company-0.9.13.tar.sig For some reason, the signature file is not linked from the web interface. I think we should add such a link. If I'm not mistaken, MELPA unfortunately does not sign packages.