From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: Security in the emacs package ecosystem Date: Tue, 14 Mar 2023 00:00:00 -0400 Message-ID: References: <8735hatt4m.fsf@alshehhi.io> <87fsblfuc6.fsf@localhost> <87wn4gd232.fsf@localhost> <87a61bkzq9.fsf@localhost> <83edqnyz00.fsf@gnu.org> <1738536780.363804.1678563952044@office.mailbox.org> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="21603"; mail-complaints-to="usenet@ciao.gmane.io" Cc: yandros@gmail.com, eliz@gnu.org, yantar92@posteo.net, stefankangas@gmail.com, husain@alshehhi.io, emacs-devel@gnu.org To: Thomas Koch Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Mar 14 05:00:20 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pbvpj-0005QW-No for ged-emacs-devel@m.gmane-mx.org; Tue, 14 Mar 2023 05:00:19 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pbvpS-0003Qt-H9; Tue, 14 Mar 2023 00:00:02 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pbvpR-0003Q5-5P for emacs-devel@gnu.org; Tue, 14 Mar 2023 00:00:01 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pbvpQ-00089N-E3; Tue, 14 Mar 2023 00:00:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=WsvgZjxeGOvnymf/i59Eht13s43A5t0+W8Vu8iH7mGM=; b=sDx2D4IQLnx8 +YGmMyNIi/zEOCWTsFp737U2GKeaHEjocCXveWPiXgvfv/LjKOcAFfz9QU65auSaSggcGpZIhIXMn s52tAZvNNHDuWCktQRej5yitMT2JKxayN/AIFxWl+ux0Kkij2Ro1V2D3n3ZLPH73q2aK3lwfnBFpe 9/06QJEQbyfZjv/YDl2O9WLwSWuOKQOSZFUnDlZp0JoUF7ODT1+sZHfDblYQdsbWUqh896NO6I5hz L/TQYId+Ek6Hc4drWigGzy9ory7IeJOIB+B92e0ljTEq8WcjxRGy5WNz8htOkH/7j9bIAXbBD/pv4 VKUR2cnXa8kF9vmfmUCMyw==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1pbvpQ-0007UP-3j; Tue, 14 Mar 2023 00:00:00 -0400 In-Reply-To: <1738536780.363804.1678563952044@office.mailbox.org> (message from Thomas Koch on Sat, 11 Mar 2023 21:45:52 +0200 (EET)) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304422 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > The Emacs manual only mentions, that package archives can be > signed and that "Package archives should provide instructions on > how you can obtain their public key." (emacs, 48.3 Package > Installation) > There are no such instructions on https://elpa.gnu.org nor is > there any information on security. We need to provide information about these topics, as well as everything else we expect ELPA package maintainers to do, and whatever we want them to agree to. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)