From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: chad Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Sun, 6 Jan 2013 23:18:45 -0800 Message-ID: References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> <87k3rrr31g.fsf@Rainer.invalid> <874nium8h0.fsf@lifelogs.com> <87bod1h7d3.fsf@gmail.com> <87pq1h4j8w.fsf@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1357543130 18921 80.91.229.3 (7 Jan 2013 07:18:50 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 7 Jan 2013 07:18:50 +0000 (UTC) To: "emacs-devel@gnu.org devel" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 07 08:19:08 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Ts6zB-0008JO-4N for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 08:19:05 +0100 Original-Received: from localhost ([::1]:56886 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts6yv-0000LN-Fi for ged-emacs-devel@m.gmane.org; Mon, 07 Jan 2013 02:18:49 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:34155) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts6yp-0000L1-7D for emacs-devel@gnu.org; Mon, 07 Jan 2013 02:18:47 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ts6yl-0002G9-CL for emacs-devel@gnu.org; Mon, 07 Jan 2013 02:18:43 -0500 Original-Received: from dmz-mailsec-scanner-8.mit.edu ([18.7.68.37]:53423) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ts6yk-0002G5-Tv for emacs-devel@gnu.org; Mon, 07 Jan 2013 02:18:39 -0500 X-AuditID: 12074425-b7ff26d000007f8d-c7-50ea76ce4680 Original-Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 40.89.32653.EC67AE05; Mon, 7 Jan 2013 02:18:38 -0500 (EST) Original-Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id r077IbHh027929 for ; Mon, 7 Jan 2013 02:18:38 -0500 Original-Received: from [10.0.1.37] (c-98-247-148-125.hsd1.wa.comcast.net [98.247.148.125]) (authenticated bits=0) (User authenticated as yandros@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id r077IZSD017590 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Mon, 7 Jan 2013 02:18:37 -0500 (EST) In-Reply-To: <87pq1h4j8w.fsf@gmail.com> X-Mailer: Apple Mail (2.1499) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrPIsWRmVeSWpSXmKPExsUixCmqrXuu7FWAwfkdPBaPFzxhdWD0aJtm FsAYxWWTkpqTWZZapG+XwJXRuy2+YB97xdkbu9kaGH+zdjFyckgImEhMn3MAyhaTuHBvPVsX IxeHkMA+Ronje3uZQRJCAicZJf6/q4RIPGOSmHzjMyNIgllAS+LGv5dMIDavgJ7E4c7tQJM4 OIQFpCSOXdYEMdkEZICGaoBUcAqoS1ztmckGYrMIqEh09N1jgpgiL7H97RxmiClWEvNm3GKG WHWYSeLk8f9gq0QETCUW7V7GCHGorMSKqb1MExgFZiG5YhaSK2YhmbuAkXkVo2xKbpVubmJm TnFqsm5xcmJeXmqRroVebmaJXmpK6SZGUDiyu6juYJxwSOkQowAHoxIP7wWDVwFCrIllxZW5 hxglOZiURHmbS4FCfEn5KZUZicUZ8UWlOanFhxglOJiVRHh57IFyvCmJlVWpRfkwKWkOFiVx 3hspN/2FBNITS1KzU1MLUotgsjIcHEoSvIdAhgoWpaanVqRl5pQgpJk4OEGG8wAN3wVSw1tc kJhbnJkOkT/FqCglznsZJCEAksgozYPrhaWLV4ziQK8I834FqeIBphq47ldAg5mABqc+fg4y uCQRISXVwOjNbPpuMuemtCeHjoaZtVZtZ7nw+Fddi+C/Xz7s13LEnll+ebfyfuXLcA1d20WN +yuXu5bo1/S7p/YvupIo6zDDu2+i/so9KqsWzs1ZnTzh1qy66XMuxTJumvWYc3eI98Ktnpdu +0t/chbrZjI8ffLntOM2Z/Z8rH56x2x1ol7sxK9nvjV6b/6jxFKckWioxVxUnAgA X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 18.7.68.37 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:156111 Archived-At: On 06 Jan 2013, at 22:09, Jambunathan K wrote: > The main problem is not that of security per se. The main problem is > reliability. The packages will break, the author wouldn't care about > responding to questions or fixing things, the functionality itself could > be broken in unknown ways etc. I don't know what you consider the `main' problem, but right now there are kits out on the web that could pretty easily be adapted to transparently compromise anyone who ever uses any package from any package.el repository. As I understand it, that's the first line of concern that's sparked the conversation. I'm not a security expert, but I used to work with several. It's almost always easier and better to add (basic) security to a system as soon as you can; the resistance to change and effort builds up very fast. It might already be too late for the first version of ELPA. Hope that helps, ~Chad