From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: chad <yandros@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: Security in the emacs package ecosystem
Date: Mon, 20 Feb 2023 12:38:03 -0500
Message-ID: <CAO2hHWZ6mz6oCmeFrxKj9KN1J2=Y_wCe94LzjBcNMr3WPy2p6g@mail.gmail.com>
References: <8735hatt4m.fsf@alshehhi.io> <87fsblfuc6.fsf@localhost>
 <CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com>
 <87wn4gd232.fsf@localhost>
 <CADwFkm=7XcgxNoAN380sYpq+xJRH8_tJSkachv6tE4bdtJ9oyw@mail.gmail.com>
 <87a61bkzq9.fsf@localhost> <83edqnyz00.fsf@gnu.org>
 <E1pTyZW-00006P-AE@fencepost.gnu.org>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="000000000000a845b505f52520ef"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="3656"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: Eli Zaretskii <eliz@gnu.org>, yantar92@posteo.net, stefankangas@gmail.com, 
 husain@alshehhi.io, emacs-devel@gnu.org
To: rms@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Feb 20 18:38:56 2023
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1pUA7r-0000lU-Mc
	for ged-emacs-devel@m.gmane-mx.org; Mon, 20 Feb 2023 18:38:55 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1pUA7J-0000HW-4d; Mon, 20 Feb 2023 12:38:21 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yandros@gmail.com>) id 1pUA7I-0000G8-4T
 for emacs-devel@gnu.org; Mon, 20 Feb 2023 12:38:20 -0500
Original-Received: from mail-yb1-xb33.google.com ([2607:f8b0:4864:20::b33])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <yandros@gmail.com>)
 id 1pUA7G-0000it-DD; Mon, 20 Feb 2023 12:38:19 -0500
Original-Received: by mail-yb1-xb33.google.com with SMTP id z95so1640240ybh.0;
 Mon, 20 Feb 2023 09:38:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=h3QdulXpP61pz0+HvkDnkLudfPLa1fybScU+bODUmqg=;
 b=Eys7aTcHeg+Q83y78DsYS2S0ABxXuEA1VFOQp7D5CzpUAIGWWhXB8eTyFSi5KnBzZs
 4brFLPBFOdJK9MBmpidxa/9r4+KjLlrqao4MIgJgiVFZtNyeYe3C4WvbZKX44vCLCpc2
 k61HqZ+zVlVwZPDNlDsTXv4QWEEYBDtfwt2MhwFGAUamkGOplWE4jg79vtC3ZB2TkZEb
 Zn0hQrsXGInsx3O5CQaOy4wjMRsTZyiq5wf2cZPHatH/0riHkold2Wg3ku8eV1cKS+hz
 vtj30c4s467ri+dhu6fbuM6gDJ74IkwTk0NTbgfPR0bBOXJe5I5hW7B9OMmAk47u6Bgp
 qXwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=h3QdulXpP61pz0+HvkDnkLudfPLa1fybScU+bODUmqg=;
 b=2cxlvYUaCT4b8BMI5y3aJflNuoRiwEuIjsLsZpjdxEaR+FAdNu8mZcqVCZyh2SjfEL
 pNxZo+Vdh5JUWh0TlmDa5MI24rXXXJfYcaFL3O7d6waGVb9ozvsUfFYqBXEizLVfI9nl
 YQ6P3LD/XnCzTRndJpFhGxP1oEOV+eFewo7tuvtzZiGyNeiX4WQhkqqkmdPcAtoyWsvQ
 ysa9+JaPXI/GnsbYGupgDwRpHjD7oZxxUhzAUuZ/WPBZXS0ei7skwTXPKvTtoC67NNLX
 0u9LS004773ysG+IXjhxxVFxBvPSHQ8s+afYhiEMn8l316S8fiDqSnELy5s7Mm+St1gF
 JEmg==
X-Gm-Message-State: AO0yUKXJcU7zyEoxNCv0oHKHXEZ4b/inUmDNDYLv2j3f8xI5+Ja2fOav
 ixmck7HVfPWkKdE5I4s0Gj4CpG6nrw/zKThGDbp6CJrd
X-Google-Smtp-Source: AK7set8FGrSqUhsCiCcG08LVg+RbD2b4GTmaBJy3vZ4kih8NArjhUfMajmeq1w3PJ4SY0tEHguNxFqbJTgC+Bjz9Ihg=
X-Received: by 2002:a5b:152:0:b0:90b:4969:fbfb with SMTP id
 c18-20020a5b0152000000b0090b4969fbfbmr593252ybp.40.1676914694045; Mon, 20 Feb
 2023 09:38:14 -0800 (PST)
In-Reply-To: <E1pTyZW-00006P-AE@fencepost.gnu.org>
Received-SPF: pass client-ip=2607:f8b0:4864:20::b33;
 envelope-from=yandros@gmail.com; helo=mail-yb1-xb33.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:303619
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/303619>

--000000000000a845b505f52520ef
Content-Type: text/plain; charset="UTF-8"

On Mon, Feb 20, 2023 at 12:19 AM Richard Stallman <rms@gnu.org> wrote:

> Alternatively, we could use Autoconf to check for GPG or PGP
> when building Emacs.
>

Practically speaking, I expect this concern to apply mostly when users
install but don't build their own emacs, plus it is likely to misfire when
distributors build emacs.

Separately, if we think this is important enough to *want* GPG/PGP/etc more
often, we could ask the distros to add it as an optional dependency.

Hope that helps,
~Chad

--000000000000a845b505f52520ef
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"></div><br><div class=3D"gmail_quote"><div=
 dir=3D"ltr" class=3D"gmail_attr">On Mon, Feb 20, 2023 at 12:19 AM Richard =
Stallman &lt;<a href=3D"mailto:rms@gnu.org">rms@gnu.org</a>&gt; wrote:</div=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left:1px solid rgb(204,204,204);padding-left:1ex">
Alternatively, we could use Autoconf to check for GPG or PGP<br>
when building Emacs.<br></blockquote><div><br></div><div>Practically speaki=
ng, I expect this concern to apply mostly when users install but don&#39;t =
build their own emacs, plus it is likely to misfire when distributors build=
 emacs.=C2=A0</div><div><br></div><div>Separately, if we think this is impo=
rtant enough to *want* GPG/PGP/etc more often, we could ask the distros to =
add it as an optional dependency.</div><div><br></div><div>Hope that helps,=
</div><div>~Chad</div><div><br></div></div></div>

--000000000000a845b505f52520ef--