From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Nathan Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Sun, 6 Jan 2013 21:53:30 -0800 Message-ID: References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87bod1h7d3.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=047d7b6d9116dfea5f04d2ac7235 X-Trace: ger.gmane.org 1357538015 15667 80.91.229.3 (7 Jan 2013 05:53:35 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 7 Jan 2013 05:53:35 +0000 (UTC) Cc: emacs-devel@gnu.org To: Jambunathan K Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 07 06:53:52 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Ts5eg-0001sZ-DV for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 06:53:50 +0100 Original-Received: from localhost ([::1]:43833 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts5eQ-0007CA-TV for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 00:53:34 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:52904) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts5eO-0007Bt-9W for emacs-devel@gnu.org; Mon, 07 Jan 2013 00:53:33 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ts5eN-0007bG-1c for emacs-devel@gnu.org; Mon, 07 Jan 2013 00:53:32 -0500 Original-Received: from mail-vc0-f180.google.com ([209.85.220.180]:52410) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts5eM-0007bC-TI for emacs-devel@gnu.org; Mon, 07 Jan 2013 00:53:30 -0500 Original-Received: by mail-vc0-f180.google.com with SMTP id p16so18752020vcq.39 for ; Sun, 06 Jan 2013 21:53:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=bM7D+pg65sIQbWzSPCvtRlkHQoGIYDT461mJrHjla44=; b=0aF+uMoM5m2MEjup9fHmg12Vsi90oD9DpPeIkSN73HAO/haqVbJlTDsASoz7RLaRn3 v2sUF1kfb5tGuj+a4yq5lY9a9CErfi9NK0FAUs1UGMVlwzEdFwKPv/c6WQAJyKIUotFN igyumYiPWHsiSmXIXpEydu64srpQzO50O9SSXY4/QFWIeIuDPdS/nyOZdGTUm1HgRz2O dWA8YNPIPFkcLlmHOv/FsrUvuKOPdEufQrkWHFb1IXt6VvZ1L6lGhpzvp4ypyA5xgwde iwC6KUBxfXjcEDTOcDVks4EtS2bD8in7TkpdTTES9+ARZLDCJ78FCcJxgM7c/pPwE63b Kb0Q== Original-Received: by 10.58.18.239 with SMTP id z15mr84714781ved.27.1357538010327; Sun, 06 Jan 2013 21:53:30 -0800 (PST) Original-Received: by 10.220.141.212 with HTTP; Sun, 6 Jan 2013 21:53:30 -0800 (PST) In-Reply-To: <87bod1h7d3.fsf@gmail.com> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 209.85.220.180 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156106 Archived-At: --047d7b6d9116dfea5f04d2ac7235 Content-Type: text/plain; charset=ISO-8859-1 > If I am downloading a package from a trustworthy site - "certified" by a > legal entity - I should be doing good, right. Jambunathan, The existing problem statement is that while we (presumably) trust the GNU Emacs code, we do not per se trust the other packages in existence. How do we know those packages are what the original authors created? It is not the best idea from a security standpoint to download arbitrary code from the emacs wiki and execute it! The ELPA infrastructure now allows pulling extensions from multiple non-GNU repositories. I certainly hope no one hacks them! If someone does, then a certification mechanism would assist the user in telling them that something's gone very wrong. So a signing mechanism allows the distributor to certify his/her code as being written by his/ger, and you to verify that the distributor certified their code. Whether the code itself is any good is a different question, of course - a malicious distributor that everyone trusts is a big problem! Kind regards, Paul > > --047d7b6d9116dfea5f04d2ac7235 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
> If I am downloading a package from a t= rustworthy site - "certified" by a
> legal entity - I should be doing good, right.

Jambunathan,
<= br>
The existing problem statement is that while we (presumably) trust= the GNU Emacs code, we do not per se trust the other packages in existence= . How do we know those packages are what the original authors created?=A0 I= t is not the best idea from a security standpoint to download arbitrary cod= e from the emacs wiki and execute it!

The ELPA infrastructure now allows pulling extensions from multip= le non-GNU repositories. I certainly hope no one hacks them! If someone doe= s, then a certification mechanism would assist the user in telling them tha= t something's gone very wrong.=A0 So a signing mechanism allows the dis= tributor to certify his/her code as being written by his/ger, and you to ve= rify that the distributor certified their code.=A0 Whether the code itself = is any good is a different question, of course - a malicious distributor th= at everyone trusts is a big problem!


Kind regards,
Paul


--047d7b6d9116dfea5f04d2ac7235--