From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: chad Newsgroups: gmane.emacs.devel Subject: Re: Security in the emacs package ecosystem Date: Mon, 20 Feb 2023 12:38:03 -0500 Message-ID: References: <8735hatt4m.fsf@alshehhi.io> <87fsblfuc6.fsf@localhost> <87wn4gd232.fsf@localhost> <87a61bkzq9.fsf@localhost> <83edqnyz00.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000a845b505f52520ef" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3656"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Eli Zaretskii , yantar92@posteo.net, stefankangas@gmail.com, husain@alshehhi.io, emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Feb 20 18:38:56 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUA7r-0000lU-Mc for ged-emacs-devel@m.gmane-mx.org; Mon, 20 Feb 2023 18:38:55 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUA7J-0000HW-4d; Mon, 20 Feb 2023 12:38:21 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUA7I-0000G8-4T for emacs-devel@gnu.org; Mon, 20 Feb 2023 12:38:20 -0500 Original-Received: from mail-yb1-xb33.google.com ([2607:f8b0:4864:20::b33]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pUA7G-0000it-DD; Mon, 20 Feb 2023 12:38:19 -0500 Original-Received: by mail-yb1-xb33.google.com with SMTP id z95so1640240ybh.0; Mon, 20 Feb 2023 09:38:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=h3QdulXpP61pz0+HvkDnkLudfPLa1fybScU+bODUmqg=; b=Eys7aTcHeg+Q83y78DsYS2S0ABxXuEA1VFOQp7D5CzpUAIGWWhXB8eTyFSi5KnBzZs 4brFLPBFOdJK9MBmpidxa/9r4+KjLlrqao4MIgJgiVFZtNyeYe3C4WvbZKX44vCLCpc2 k61HqZ+zVlVwZPDNlDsTXv4QWEEYBDtfwt2MhwFGAUamkGOplWE4jg79vtC3ZB2TkZEb Zn0hQrsXGInsx3O5CQaOy4wjMRsTZyiq5wf2cZPHatH/0riHkold2Wg3ku8eV1cKS+hz vtj30c4s467ri+dhu6fbuM6gDJ74IkwTk0NTbgfPR0bBOXJe5I5hW7B9OMmAk47u6Bgp qXwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=h3QdulXpP61pz0+HvkDnkLudfPLa1fybScU+bODUmqg=; b=2cxlvYUaCT4b8BMI5y3aJflNuoRiwEuIjsLsZpjdxEaR+FAdNu8mZcqVCZyh2SjfEL pNxZo+Vdh5JUWh0TlmDa5MI24rXXXJfYcaFL3O7d6waGVb9ozvsUfFYqBXEizLVfI9nl YQ6P3LD/XnCzTRndJpFhGxP1oEOV+eFewo7tuvtzZiGyNeiX4WQhkqqkmdPcAtoyWsvQ ysa9+JaPXI/GnsbYGupgDwRpHjD7oZxxUhzAUuZ/WPBZXS0ei7skwTXPKvTtoC67NNLX 0u9LS004773ysG+IXjhxxVFxBvPSHQ8s+afYhiEMn8l316S8fiDqSnELy5s7Mm+St1gF JEmg== X-Gm-Message-State: AO0yUKXJcU7zyEoxNCv0oHKHXEZ4b/inUmDNDYLv2j3f8xI5+Ja2fOav ixmck7HVfPWkKdE5I4s0Gj4CpG6nrw/zKThGDbp6CJrd X-Google-Smtp-Source: AK7set8FGrSqUhsCiCcG08LVg+RbD2b4GTmaBJy3vZ4kih8NArjhUfMajmeq1w3PJ4SY0tEHguNxFqbJTgC+Bjz9Ihg= X-Received: by 2002:a5b:152:0:b0:90b:4969:fbfb with SMTP id c18-20020a5b0152000000b0090b4969fbfbmr593252ybp.40.1676914694045; Mon, 20 Feb 2023 09:38:14 -0800 (PST) In-Reply-To: Received-SPF: pass client-ip=2607:f8b0:4864:20::b33; envelope-from=yandros@gmail.com; helo=mail-yb1-xb33.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303619 Archived-At: --000000000000a845b505f52520ef Content-Type: text/plain; charset="UTF-8" On Mon, Feb 20, 2023 at 12:19 AM Richard Stallman wrote: > Alternatively, we could use Autoconf to check for GPG or PGP > when building Emacs. > Practically speaking, I expect this concern to apply mostly when users install but don't build their own emacs, plus it is likely to misfire when distributors build emacs. Separately, if we think this is important enough to *want* GPG/PGP/etc more often, we could ask the distros to add it as an optional dependency. Hope that helps, ~Chad --000000000000a845b505f52520ef Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Mon, Feb 20, 2023 at 12:19 AM Richard = Stallman <rms@gnu.org> wrote:
Alternatively, we could use Autoconf to check for GPG or PGP
when building Emacs.

Practically speaki= ng, I expect this concern to apply mostly when users install but don't = build their own emacs, plus it is likely to misfire when distributors build= emacs.=C2=A0

Separately, if we think this is impo= rtant enough to *want* GPG/PGP/etc more often, we could ask the distros to = add it as an optional dependency.

Hope that helps,=
~Chad

--000000000000a845b505f52520ef--