From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gulshan Singh Newsgroups: gmane.emacs.devel Subject: Fwd: Should package.el support notifying on package security updates? Date: Sun, 7 Aug 2022 18:46:00 -0700 Message-ID: References: <87r12qm4q5.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000f7c36605e5b0faf8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10625"; mail-complaints-to="usenet@ciao.gmane.io" To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Aug 08 04:23:55 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oKsQt-0002fY-3u for ged-emacs-devel@m.gmane-mx.org; Mon, 08 Aug 2022 04:23:55 +0200 Original-Received: from localhost ([::1]:36162 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oKsQr-0004Kj-Is for ged-emacs-devel@m.gmane-mx.org; Sun, 07 Aug 2022 22:23:53 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:50780) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oKrqQ-0006Pz-Lx for emacs-devel@gnu.org; Sun, 07 Aug 2022 21:46:14 -0400 Original-Received: from mail-vs1-xe2a.google.com ([2607:f8b0:4864:20::e2a]:35565) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oKrqP-0008Sb-2j for emacs-devel@gnu.org; Sun, 07 Aug 2022 21:46:14 -0400 Original-Received: by mail-vs1-xe2a.google.com with SMTP id 67so157715vsv.2 for ; Sun, 07 Aug 2022 18:46:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc; bh=3CucOj60JD47J9DXtfw/ZuDuZ1+/iMOo+6bfpU8scO0=; b=cHd3s3RQQfyk9w3IYWjWOztCvJ1aXWcW3XTiscB4+brz961+5DmVjvPTNLAX4XnTSB XWLORUZYwMVbswHqNbdSD7FdYtBc2O1wb8LWM2dlTStjSvI9rt+cLh049jz8+WQ5I+2P YAUcL6H6OoqXLzOqexNG17Ni0DtSHU16ZHn//KfKNqHaZORmwpG2/pNI1NK031Fds+MC oTQfPPm1jZCDtB21ROlfBrodRrL+aTTN1YaI7UVinkF1X6pl540uazqLmLoXn+0d03nH D9BaFBcNh/J7/ZfxH19FFym0y0L2jeaZOJNaHaABU+hoqVtEcd/c6z/GmE8ttYEB/2aA pHVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc; bh=3CucOj60JD47J9DXtfw/ZuDuZ1+/iMOo+6bfpU8scO0=; b=iW9JXkqrjp6wWrVrGzqQ0JbPZXy66NmGUWOkj6dxCLJHJooPivdKSbJFodu4YVJnQB Vq/KZl3FRA7QgQNaDfr5dSY1TAhq7s58wRTMiodVYehpoi1ypYO7ViPKHnYRbH5DdSaa NVOWLUnuPTokWCua+CM9FFGeb/bnfNuXtt4ZshKQRKnUoDrm6j3BviQ4zvmvin5JWxGR jI0Qt0zcb/6xrpmKiHAXNPxrp5pOVSB84IC9jUq47NwV8nobdb77ENsZkxs/yJsr8KJQ +mvOfJJHKjlQgvhBu21xRwa3gG81eI/XgLL96NdQfeHCzUj2jLR7jbz6PJd4Y+rKT685 YkhQ== X-Gm-Message-State: ACgBeo0vLrOKX19C2U6Nk1dYNfWvmMPGZt/WkyMVb2aUMYm+izROJNe8 e0MPetLJ2dCUTLAyWs0CYcGeTGuLs7uGzcRl4vT/+/9A X-Google-Smtp-Source: AA6agR63bRtZU2uBZOTq6ReH/cd8JNHCVKCciOY5TtfWZOYA9NxCZK5wHlK1ZEX9bf9rZAiZb/IUMIF5dyQQtJ0ggY8= X-Received: by 2002:a67:ac0b:0:b0:388:6b47:2b1d with SMTP id v11-20020a67ac0b000000b003886b472b1dmr6767431vse.37.1659923171097; Sun, 07 Aug 2022 18:46:11 -0700 (PDT) In-Reply-To: <87r12qm4q5.fsf@gmail.com> Received-SPF: pass client-ip=2607:f8b0:4864:20::e2a; envelope-from=gsingh2011@gmail.com; helo=mail-vs1-xe2a.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sun, 07 Aug 2022 22:22:56 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:293239 Archived-At: --000000000000f7c36605e5b0faf8 Content-Type: text/plain; charset="UTF-8" Hi, I sent the below message to the help-gnu-emacs mailing list, but I wanted to also raise the same question on the emacs-devel list, as it's more related to potential feature improvements in emacs. ---------- Forwarded message --------- From: Gulshan Singh Date: Tue, Jul 12, 2022 at 1:54 PM Subject: Should package.el support notifying on package security updates? To: Hi, I recently reported a security issue for a package on MELPA, where even though I trusted the package author, if I used the package to process untrusted data that data code be crafted in a way to execute arbitrary code on my system. This led me to wonder if there was any mechanism for package.el to distinguish between regular updates and security updates, and I wasn't able to find any information on this. Has there been any past discussion on this? As an example, on Ubuntu you can see how many of the pending updates are security updates as opposed to regular updates, and you can configure the system to auto-update just the security updates. I feel like the package manager in emacs should have something similar, but maybe I'm missing something about why this functionality isn't included. --000000000000f7c36605e5b0faf8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

I sent the below message to the hel= p-gnu-emacs mailing list, but I wanted to also raise the same question on t= he emacs-devel list, as it's more related to potential feature improvem= ents in emacs.

---------- Forwarded message ---------
From: Gulshan Singh <gsingh2011@gmail.com><= /span>
Date: Tue, Jul 12, 2022 at 1:54 PM
Subject: Should package.el = support notifying on package security updates?
To: <help-gnu-emacs@gnu.org>


H= i,

I recently reported a security issue for a package on MELPA, where even
though I trusted the package author, if I used the package to process
untrusted data that data code be crafted in a way to execute arbitrary
code on my system. This led me to wonder if there was any mechanism for
package.el to distinguish between regular updates and security updates,
and I wasn't able to find any information on this.

Has there been any past discussion on this? As an example, on Ubuntu you can see how many of the pending updates are security updates as opposed
to regular updates, and you can configure the system to auto-update just the security updates. I feel like the package manager in emacs should
have something similar, but maybe I'm missing something about why this<= br> functionality isn't included.
--000000000000f7c36605e5b0faf8--