From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS Date: Mon, 10 Oct 2022 18:01:32 -0400 Message-ID: References: <164484721900.31751.1453162457552427931@vcs2.savannah.gnu.org> <20220214140020.04438C00891@vcs2.savannah.gnu.org> <87bkqmqpvb.fsf@posteo.net> <871qris3xb.fsf@gnus.org> <86y1tqb0bs.fsf@gmail.com> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="38871"; mail-complaints-to="usenet@ciao.gmane.io" Cc: larsi@gnus.org, philipk@posteo.net, monnier@iro.umontreal.ca, emacs-devel@gnu.org To: Tim Cross Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Oct 11 00:02:59 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oi0rS-0009s5-9D for ged-emacs-devel@m.gmane-mx.org; Tue, 11 Oct 2022 00:02:58 +0200 Original-Received: from localhost ([::1]:57840 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oi0rR-0002Hr-9u for ged-emacs-devel@m.gmane-mx.org; Mon, 10 Oct 2022 18:02:57 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:47878) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oi0q6-0001Bt-UA for emacs-devel@gnu.org; Mon, 10 Oct 2022 18:01:34 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:56636) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oi0q5-00008T-Uw; Mon, 10 Oct 2022 18:01:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=EkXhXhgtFyF22nKBsjQfiwPaYlcUktje4KVvxt1/ZxY=; b=Bt+e0/DUiSfA N9xHqn/PNWKMYpr2L/r8Z8y3EiNjMG12pSp5w5s1/JYN+FFH9b7UigJQrq49nJe6gHodPVGMtZ+Lt XsbZhQUncRFt59gWs2JC3kOcmprnF1X/Px9jIGkWKjkTUWEUK1ksK4Dd66y4JK56cwi6XR8AaqRB8 Y0rAdouuxjpLU7F3qaMUXhYeX2EBOA3bHj9lSH3rCmF/GwET9gJ8iNtmuxBOSBMXzxTfstbQS+Aup 9u+mc4lAc8hvmAATqBj7XwpvIO7aU0NVfdhQAh+ZxsiqAVG1VO/tme03XUWNmd8KSy8aVJlJlaPqM 8MStzsnOfABOfF3lhAnrhQ==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1oi0q4-00015Z-M4; Mon, 10 Oct 2022 18:01:32 -0400 In-Reply-To: <86y1tqb0bs.fsf@gmail.com> (message from Tim Cross on Sun, 09 Oct 2022 06:02:12 +1100) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:297403 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > I think it is very dangerous to suggest there is ANY security here, even > with GNU ELPA packages. > - There is no formal security review of packages > - There is no review before packages are updated. If a repository is > compromised and that compromise has not been detected, an update can > still occur and introduced compromised code into GNU ELPA. I think we had better do something about this. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)