From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gulshan Singh Newsgroups: gmane.emacs.devel Subject: Re: Fwd: Should package.el support notifying on package security updates? Date: Sat, 13 Aug 2022 20:29:54 -0700 Message-ID: References: <87r12qm4q5.fsf@gmail.com> <87y1vus4xy.fsf@rfc20.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000ab9ab905e62b212d" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="37589"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Matt Armstrong , emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Aug 14 07:03:13 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oN5mK-0009WA-Re for ged-emacs-devel@m.gmane-mx.org; Sun, 14 Aug 2022 07:03:12 +0200 Original-Received: from localhost ([::1]:48358 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oN5mJ-0000eP-OL for ged-emacs-devel@m.gmane-mx.org; Sun, 14 Aug 2022 01:03:11 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58926) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oN4KI-0001Fx-Ja for emacs-devel@gnu.org; Sat, 13 Aug 2022 23:30:10 -0400 Original-Received: from mail-vk1-xa2d.google.com ([2607:f8b0:4864:20::a2d]:34617) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oN4KG-0004GW-Ml; Sat, 13 Aug 2022 23:30:10 -0400 Original-Received: by mail-vk1-xa2d.google.com with SMTP id b81so2287873vkf.1; Sat, 13 Aug 2022 20:30:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=t/VlZ9uBG7vAsoHJuYQ0gUy3F3BTAFxNR/djh8qC634=; b=Y/ypamv8hPUReXr77gZbCHliy26eblxGW7i4TIF7ZDp1rjcbvslC/P69bClmUe3O5q AgI7uFHbZwByohR9sLG+48lQ2G7TiPywcdKYtqQnMztynZCv84AvpGDAZDgxqSqzXtoJ KQUJanwgst6BvTFL+yuD3w9xgZ3umAtzqeUDXnQJWuU5O7waiCydERe/cbyMMkbtmr86 Ad4fojnzlYeevpt2ynPbBy0iPEL/PiGTrSL70h/v4j0WGcZy0btQZU4CDFUCIsEXYnJv tpTsrOHEiSRuE9d64H/0TOdE3CmtD7FtqL+jQwd/sbvDGfYTiotolfkLpB47t4/uq9aV j0fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=t/VlZ9uBG7vAsoHJuYQ0gUy3F3BTAFxNR/djh8qC634=; b=XNFAN9riXMXOfQpg3OruwqfFCRhhDadeFvMpKzOHaZP3lLVUEELCKrFndFvwJtk9hc GdK61rrr2uBXf6KSFiRY7ciEzpiXHIG5OM6z93l2STdcNYEBDS1TesN/6dtSxC5DVUGf EBVwoZDPSbVRr6rkW8LpOr90HkIPLw9qJ17/Mlxd82aWvrz2mX0r7401hcBfSDVFebtP RhsNtK05fX0CEU3cy8M/Puw5I1qH1uGDkOL+R2G5bVinctgJR3yaIcjTQfQcNXK9mEhV z63+JVx3eZeqclc75oUeR2f+taCjSZUSaLqYY6VQk+swpe0BDl8mUGvBeQqSb2EhrmoF owtQ== X-Gm-Message-State: ACgBeo3ZrAknjI+akPLjmCJRT0vqQYjuB5y+anBenoKJL2zIMw+hQARK gPSSkM/HtFU7qNJ/Bm1H4J7DkDjaEa8tRsIOilQh9ep+ X-Google-Smtp-Source: AA6agR5rmN8HFmB+/mgZi6ZpGFaq5TWJywCcJWbnvhE9zoDsoDYYW0xJFRrkhbT9Bk67rxhp8409JLAvV4eEabnTjfI= X-Received: by 2002:a05:6122:d86:b0:374:684c:7343 with SMTP id bc6-20020a0561220d8600b00374684c7343mr4670907vkb.0.1660447806428; Sat, 13 Aug 2022 20:30:06 -0700 (PDT) In-Reply-To: Received-SPF: pass client-ip=2607:f8b0:4864:20::a2d; envelope-from=gsingh2011@gmail.com; helo=mail-vk1-xa2d.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sun, 14 Aug 2022 01:00:10 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:293437 Archived-At: --000000000000ab9ab905e62b212d Content-Type: text/plain; charset="UTF-8" That makes sense. But I only brought up the MELPA example because I recently encountered a security bug in a MELPA package. There's no reason ELPA packages can't have similar security bugs (I just don't have an example of this at the moment), and I figured it might be a good idea to have some support for making it easier for users to quickly get security updates for packages, regardless of what repository they're using. On Sat, Aug 13, 2022, 8:23 PM Richard Stallman wrote: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > We do not endorse or point to MEPLA, because it doesn't uphold our > principles of rejecting nonfree software. So we don't get involved in > maintaining MELPA. We have nothing to do with it. > > When there is a package that happens to be in MELPA that we want to > recommend to users, we can put it in NonGNU ELPA. There, we can give > it a little emergency maintenance if that seems called for. > > -- > Dr Richard Stallman (https://stallman.org) > Chief GNUisance of the GNU Project (https://gnu.org) > Founder, Free Software Foundation (https://fsf.org) > Internet Hall-of-Famer (https://internethalloffame.org) > > > --000000000000ab9ab905e62b212d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
That makes sense. But I only brought up the MELPA example= because I recently encountered a security bug in a MELPA package. There= 9;s no reason ELPA packages can't have similar security bugs (I just do= n't have an example of this at the moment), and I figured it might be a= good idea to have some support for making it easier for users to quickly g= et security updates for packages, regardless of what repository they're= using.=C2=A0

On Sat, Aug 13, 2022, 8:23 PM Richard Stallman <rms@gnu.org> wrote:
[[[ To any NSA and FBI agents reading my email: please consid= er=C2=A0 =C2=A0 ]]]
[[[ whether defending the US Constitution against all enemies,=C2=A0 =C2=A0= =C2=A0]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]<= br>
We do not endorse or point to MEPLA, because it doesn't uphold our
principles of rejecting nonfree software.=C2=A0 So we don't get involve= d in
maintaining MELPA.=C2=A0 We have nothing to do with it.

When there is a package that happens to be in MELPA that we want to
recommend to users, we can put it in NonGNU ELPA.=C2=A0 There, we can give<= br> it a little emergency maintenance if that seems called for.

--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)=


--000000000000ab9ab905e62b212d--