unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Security in the emacs package ecosystem
@ 2022-05-15 20:53 Husain Alshehhi
  2023-02-04 13:12 ` Ihor Radchenko
  0 siblings, 1 reply; 14+ messages in thread
From: Husain Alshehhi @ 2022-05-15 20:53 UTC (permalink / raw)
  To: emacs-devel

Hello,

This issue is not new and seems to have been discussed before:
  <https://emacs-devel.gnu.narkive.com/atiq1AoP/security-of-the-emacs-package-system-elpa-melpa-and-marmalade>

I was wondering if things have changed since then.

To summarize: most users in emacs downloads packages directly from the git repository. This is a security threat as there is nothing to prevent a malicious change from going to users. The malicious change could be posted through a hack, or could be posted by the owner of the package (in extreme cases). Is there anything currently in the ecosystem, or package repository, to prevent these sorts of issues? Are there any initiatives or ideas to address these issues? If not, what is the recommended (and practical) ways to be safe?

(Some solutions that are typically thrown out: manual code review of every package installed. Use distro package manager and have emacs packages go through the normal package review process of each distro. Package signing. melpa/elpa stamp of approval.)

Husain




^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2023-03-14  4:00 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-15 20:53 Security in the emacs package ecosystem Husain Alshehhi
2023-02-04 13:12 ` Ihor Radchenko
2023-02-04 16:59   ` Stefan Kangas
2023-02-17 10:21     ` Ihor Radchenko
2023-02-17 10:23       ` Ihor Radchenko
2023-02-17 15:54       ` Stefan Kangas
2023-02-18 10:57         ` Ihor Radchenko
2023-02-18 11:49           ` Eli Zaretskii
2023-02-20  5:18             ` Richard Stallman
2023-02-20  6:23               ` Po Lu
2023-02-20 17:38               ` chad
2023-03-11 19:45                 ` Thomas Koch
2023-03-14  4:00                   ` Richard Stallman
2023-02-18 11:54           ` Making `package-check-signature' more restrictive by default Stefan Kangas

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).