unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Where should security issues with GNU ELPA packages be reported?
@ 2024-03-28 13:40 Morgan Willcock
  2024-03-28 14:53 ` Emanuel Berg
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Morgan Willcock @ 2024-03-28 13:40 UTC (permalink / raw)
  To: emacs-devel

I think I have found a security issue with a package which is
distributed on GNU ELPA, and I am unsure who to notify.

Given that the package is technically part of Emacs, do I follow
whatever the procedure would be for disclosing security problems with
Emacs?  If so, what is that procedure?

Or should I e-mail the package author first?

Given that it is not the package author who is distributing the package,
I am unsure what to do.

-- 
Morgan Willcock



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Where should security issues with GNU ELPA packages be reported?
  2024-03-28 13:40 Where should security issues with GNU ELPA packages be reported? Morgan Willcock
@ 2024-03-28 14:53 ` Emanuel Berg
  2024-03-28 16:07 ` Philip Kaludercic
  2024-03-31 23:46 ` Richard Stallman
  2 siblings, 0 replies; 6+ messages in thread
From: Emanuel Berg @ 2024-03-28 14:53 UTC (permalink / raw)
  To: emacs-devel

Morgan Willcock wrote:

> I think I have found a security issue with a package which
> is distributed on GNU ELPA, and I am unsure who to notify.
>
> Given that the package is technically part of Emacs, do
> I follow whatever the procedure would be for disclosing
> security problems with Emacs? If so, what is that procedure?
>
> Or should I e-mail the package author first?

Good idea, after that you can post here or use
`report-emacs-bug'.

-- 
underground experts united
https://dataswamp.org/~incal




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Where should security issues with GNU ELPA packages be reported?
  2024-03-28 13:40 Where should security issues with GNU ELPA packages be reported? Morgan Willcock
  2024-03-28 14:53 ` Emanuel Berg
@ 2024-03-28 16:07 ` Philip Kaludercic
  2024-03-28 17:14   ` Morgan Willcock
  2024-03-31 23:46 ` Richard Stallman
  2 siblings, 1 reply; 6+ messages in thread
From: Philip Kaludercic @ 2024-03-28 16:07 UTC (permalink / raw)
  To: Morgan Willcock; +Cc: emacs-devel

Morgan Willcock <morgan@ice9.digital> writes:

> I think I have found a security issue with a package which is
> distributed on GNU ELPA, and I am unsure who to notify.
>
> Given that the package is technically part of Emacs, do I follow
> whatever the procedure would be for disclosing security problems with
> Emacs?  If so, what is that procedure?
>
> Or should I e-mail the package author first?
>
> Given that it is not the package author who is distributing the package,
> I am unsure what to do.

It would probably be better to message the maintainer first, if there is
no explicit maintainer you can check elpa.git to infer who is
responsible.  Can you disclose what package you are concerned about?

-- 
	Philip Kaludercic on peregrine



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Where should security issues with GNU ELPA packages be reported?
  2024-03-28 16:07 ` Philip Kaludercic
@ 2024-03-28 17:14   ` Morgan Willcock
  2024-03-29  5:53     ` Philip Kaludercic
  0 siblings, 1 reply; 6+ messages in thread
From: Morgan Willcock @ 2024-03-28 17:14 UTC (permalink / raw)
  To: Philip Kaludercic; +Cc: emacs-devel

Philip Kaludercic <philipk@posteo.net> writes:

> Morgan Willcock <morgan@ice9.digital> writes:
>
>> I think I have found a security issue with a package which is
>> distributed on GNU ELPA, and I am unsure who to notify.
>>
>> Given that the package is technically part of Emacs, do I follow
>> whatever the procedure would be for disclosing security problems with
>> Emacs?  If so, what is that procedure?
>>
>> Or should I e-mail the package author first?
>>
>> Given that it is not the package author who is distributing the package,
>> I am unsure what to do.
>
> It would probably be better to message the maintainer first, if there is
> no explicit maintainer you can check elpa.git to infer who is
> responsible.

There is an e-mail address for the maintainer, I just wasn't sure
whether going to them first was the correct thing to do.

> Can you disclose what package you are concerned about?

I was not planning on naming it until after I had spoken privately to
whoever the appropriate person is.  The problem concerns an encryption
failure which potentially exposes private security keys.

-- 
Morgan Willcock



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Where should security issues with GNU ELPA packages be reported?
  2024-03-28 17:14   ` Morgan Willcock
@ 2024-03-29  5:53     ` Philip Kaludercic
  0 siblings, 0 replies; 6+ messages in thread
From: Philip Kaludercic @ 2024-03-29  5:53 UTC (permalink / raw)
  To: Morgan Willcock; +Cc: emacs-devel

Morgan Willcock <morgan@ice9.digital> writes:

> Philip Kaludercic <philipk@posteo.net> writes:
>
>> Morgan Willcock <morgan@ice9.digital> writes:
>>
>>> I think I have found a security issue with a package which is
>>> distributed on GNU ELPA, and I am unsure who to notify.
>>>
>>> Given that the package is technically part of Emacs, do I follow
>>> whatever the procedure would be for disclosing security problems with
>>> Emacs?  If so, what is that procedure?
>>>
>>> Or should I e-mail the package author first?
>>>
>>> Given that it is not the package author who is distributing the package,
>>> I am unsure what to do.
>>
>> It would probably be better to message the maintainer first, if there is
>> no explicit maintainer you can check elpa.git to infer who is
>> responsible.
>
> There is an e-mail address for the maintainer, I just wasn't sure
> whether going to them first was the correct thing to do.

The maintainer of the package can generally push changes to their own
repository and can trigger a new package to be built.  If they do not
respond and it is urgent, anyone with access to elpa.git could push a
commit to the mirror (forking from upstream).

>> Can you disclose what package you are concerned about?
>
> I was not planning on naming it until after I had spoken privately to
> whoever the appropriate person is.  The problem concerns an encryption
> failure which potentially exposes private security keys.

Ok, understandable.

-- 
	Philip Kaludercic on peregrine



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Where should security issues with GNU ELPA packages be reported?
  2024-03-28 13:40 Where should security issues with GNU ELPA packages be reported? Morgan Willcock
  2024-03-28 14:53 ` Emanuel Berg
  2024-03-28 16:07 ` Philip Kaludercic
@ 2024-03-31 23:46 ` Richard Stallman
  2 siblings, 0 replies; 6+ messages in thread
From: Richard Stallman @ 2024-03-31 23:46 UTC (permalink / raw)
  To: Morgan Willcock; +Cc: emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

If a package in NonGNU ELPA as a security problem that is important
enough, we can take action ourselves -- either to fix it ourselves in
a hurry, or to remove it from NonGNU ELPA until its developers fix it.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)





^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2024-03-31 23:46 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-28 13:40 Where should security issues with GNU ELPA packages be reported? Morgan Willcock
2024-03-28 14:53 ` Emanuel Berg
2024-03-28 16:07 ` Philip Kaludercic
2024-03-28 17:14   ` Morgan Willcock
2024-03-29  5:53     ` Philip Kaludercic
2024-03-31 23:46 ` Richard Stallman

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).