From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.devel Subject: Re: Fwd: Should package.el support notifying on package security updates? Date: Fri, 12 Aug 2022 06:18:52 -0700 Message-ID: References: <87r12qm4q5.fsf@gmail.com> <87y1vus4xy.fsf@rfc20.org> <86y1vul261.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31221"; mail-complaints-to="usenet@ciao.gmane.io" To: Tim Cross , emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Aug 12 15:26:24 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oMUgC-000827-4n for ged-emacs-devel@m.gmane-mx.org; Fri, 12 Aug 2022 15:26:24 +0200 Original-Received: from localhost ([::1]:52348 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oMUgB-0008Aw-6N for ged-emacs-devel@m.gmane-mx.org; Fri, 12 Aug 2022 09:26:23 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:54370) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMUYz-0008MK-E0 for emacs-devel@gnu.org; Fri, 12 Aug 2022 09:18:57 -0400 Original-Received: from mail-vs1-xe36.google.com ([2607:f8b0:4864:20::e36]:46773) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oMUYx-0002Z8-HG for emacs-devel@gnu.org; Fri, 12 Aug 2022 09:18:57 -0400 Original-Received: by mail-vs1-xe36.google.com with SMTP id d126so740701vsd.13 for ; Fri, 12 Aug 2022 06:18:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :from:to:cc; bh=AcmAG7kPplmWL9dqtV1t9d9xQ6owmv5S84u7T3sY/BY=; b=hQTrq+Ah7IIDiLmHnC+HKz/F18Ie2CfJ30RDHAdL79tS/H6s5DROmepk7+LS/9VNrt mMmxejlaYXdtTiZGsVw+bBolD8BG1d5zCBJbAmCfqT9/kFkgFoWjt5hKLcUN8Tk3hgV2 WagLc3nATzql5SzMwRI7qUC+goDuQlyXP5ivyunklWCfMnraFT7wm1FFhwq1q8pfmVWR upv7aEX0sFR44ijE60NgEToS7YP/hxrZj4VS35wf3Y/foOuWY6rj2NzLi3XAVS5kARty xyr/7XdGEmbwLjCBZnMIDL1PXpIeSl/0r/yZ+NZSqN5G88pSRvg7XuTu9mU8/zk3F+4Q 79nQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :x-gm-message-state:from:to:cc; bh=AcmAG7kPplmWL9dqtV1t9d9xQ6owmv5S84u7T3sY/BY=; b=igPdJi5ylE6nCRRGQmjn5b8CdG98zQm+/L3qg7EfZdWbKUNmCa0SqRB6CV0Pgc5OJH pYK1GpKWso/cSy9Cri/QTMWJgNioAk4cwVSCXRgLdRHwInYC3YdVz/Vt4eSDfMnVVPYo c0FBYznR2DON0f3cmWcJ3TMWNlQs3tZNInblijPQsi5WWpmJuMOshmp+KLbvBncTxkJq aTYNwCwPSRuwK37VbghD+yffYjxTYZstlpMG3ZVIqkhqZKhZujULTCzA+LKE2tGyO+Wy YPUSpIyryd/WKc1fEzTvtskbFpt2v23XLjgZndCpm4bV9pFvvvfuZ8JGzKyO7IPwBxlw ra+Q== X-Gm-Message-State: ACgBeo274Nfm3HFfUzSBspgBdzPOuVQQ2UxZW+4Cz71W5MKeOJSRF2bY m0RmdZlkIBavgzY8aUU2FhSqIuHQ8hz+eQMeMoI= X-Google-Smtp-Source: AA6agR5PNJXph2/WTjyaB0nuaNFLTAhnLGs7Q8TGUgCDnz9hwm0sQ8Qfm/tfSMgitcyqnl99wOXIEP1LSVIYVaKBP5c= X-Received: by 2002:a05:6102:7c6:b0:37d:34bd:8564 with SMTP id y6-20020a05610207c600b0037d34bd8564mr1771797vsg.59.1660310333263; Fri, 12 Aug 2022 06:18:53 -0700 (PDT) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 12 Aug 2022 06:18:52 -0700 In-Reply-To: <86y1vul261.fsf@gmail.com> X-Hashcash: 1:20:220812:theophilusx@gmail.com::Llm28x6Rfgpyy57W:5LGz Received-SPF: pass client-ip=2607:f8b0:4864:20::e36; envelope-from=stefankangas@gmail.com; helo=mail-vs1-xe36.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:293388 Archived-At: Tim Cross writes: > - There are actually very few security issues reported for Elisp > packages. This doesn't mean there aren't any, only that they are > discovered and reported very rarely. If they are rare, that doesn't make them less important. > - It would require package maintainers to somehow flag that an update is > a security update I find the maintainers of important packages to be highly conscientious people, and that goes in particular the GNU ELPA maintainers. So I don't share your concerns. > I suspect if we added the functionality to flag an update as a security > update, it is something which happens so rarely, nobody will use it and > when they do, nobody will recognise what it really meant. I think people will know the meaning, because it will presumably say "security update" somewhere.