From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: Fwd: Should package.el support notifying on package security updates? Date: Mon, 15 Aug 2022 22:52:17 -0400 Message-ID: References: <87r12qm4q5.fsf@gmail.com> <87y1vus4xy.fsf@rfc20.org> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="28790"; mail-complaints-to="usenet@ciao.gmane.io" Cc: matt@rfc20.org, emacs-devel@gnu.org To: Gulshan Singh Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Aug 16 04:53:49 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oNmiC-0007L4-HL for ged-emacs-devel@m.gmane-mx.org; Tue, 16 Aug 2022 04:53:48 +0200 Original-Received: from localhost ([::1]:56522 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oNmiA-00066S-VJ for ged-emacs-devel@m.gmane-mx.org; Mon, 15 Aug 2022 22:53:46 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53706) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oNmgk-0005MU-Gm for emacs-devel@gnu.org; Mon, 15 Aug 2022 22:52:18 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:46048) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oNmgj-0006Ee-RY; Mon, 15 Aug 2022 22:52:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=nKx70VMD2hoUoItejbb2oeRlfXq/k1c3o4yZpdWrYY8=; b=SMK+KgJ/iCd3 N0tgGYdb2vIw0FJ562NGS2+ANtM1tn0gbbfFaDl/NwzmYpNIGJXJU9WLydzW3n1grgcC6PPPdNSgl 4c6mpVir5lGC1IVbeQfHcldYLqzyA21cKhacecO5cWInIBw/kvGuBAls+nIewzO09PdrTae8nzHl6 A+y3e9IWkUA8kjBCKYPwh5ZDqhxa5/qR+r/zc+v1nGsieigdZqFIlO4hAC1Jft4DkvrDloN3KSnuW pZ3szoB1+MGOzNg6031LS4YW27QtIUZOWmG4PZ9ZhWYiXodDcEKZgFBnBYrAbNPV45OVx2E4qAF4/ TUzUm/VnUqx3AD2dYEUzSA==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1oNmgj-0002xG-4J; Mon, 15 Aug 2022 22:52:17 -0400 In-Reply-To: (message from Gulshan Singh on Sat, 13 Aug 2022 20:29:54 -0700) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:293492 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > There's no reason > ELPA packages can't have similar security bugs (I just don't have an > example of this at the moment), and I figured it might be a good idea to > have some support for making it easier for users to quickly get security > updates for packages, regardless of what repository they're using. It makes sense for us to improve matters for GNU ELPA. It's a desirable thing to do, and it's part of our work. WHat remains is the practical question: what actions, that would improve the situation, are feasible for us to do. As I'm not an expert on that, I will leave it to the others. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)