From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: Fwd: Should package.el support notifying on package security
 updates?
Date: Fri, 12 Aug 2022 17:40:55 -0400
Message-ID: <jwv4jyhtaa1.fsf-monnier+emacs@gnu.org>
References: <87r12qm4q5.fsf@gmail.com>
 <CANEZYrdmk-7XD=RR_8s6fVV5+7aYC8g1yVEFTOUnYzW5rkz24w@mail.gmail.com>
 <87y1vus4xy.fsf@rfc20.org> <86y1vul261.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="18512"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)
Cc: emacs-devel@gnu.org
To: Tim Cross <theophilusx@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Aug 12 23:41:54 2022
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1oMcPi-0004dk-KD
	for ged-emacs-devel@m.gmane-mx.org; Fri, 12 Aug 2022 23:41:54 +0200
Original-Received: from localhost ([::1]:46290 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1oMcPh-0005Cx-8R
	for ged-emacs-devel@m.gmane-mx.org; Fri, 12 Aug 2022 17:41:53 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58934)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1oMcP0-0004Vl-MZ
 for emacs-devel@gnu.org; Fri, 12 Aug 2022 17:41:10 -0400
Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:53037)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1oMcOv-0004di-0Y
 for emacs-devel@gnu.org; Fri, 12 Aug 2022 17:41:08 -0400
Original-Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 72EAC8076F;
 Fri, 12 Aug 2022 17:41:03 -0400 (EDT)
Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 0863480626;
 Fri, 12 Aug 2022 17:41:02 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1660340462;
 bh=VmcLLlIGpZiaEgjSuxeFYKq6TNcrei/RSfPFPND47AY=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=hsK5Eoi3hNpu2a5+Dz2Qv4Wn0f9p6g63a3bnp8Xj4P4Jq7iw4OHCfon2gqGxWZ4VT
 BYzoA1cqgExCCVjxlhfiONoLmoTxVbb1w0n76X7Jl/dWVjh68vvCnUgWGir5nBmUR2
 n65gANWTtN5ETgnRAMDiIHt3MedmonbJDysU/XGJ2pYRzCc21DMOJKsJvNrP/W38oZ
 wT6cLlJDBkJAKUAwhOgtre9+hsL86+XkdMOPjUMUYBf2yNeI22rdUQg5lW55/HB3n1
 Et663dJzPEHg5s08StlHlhnlbBwLZ0HRMF10LHS40oA8zV5u2aH85GDM87XBbExvNk
 z3H0x3yUZrOjQ==
Original-Received: from pastel (unknown [45.72.195.111])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id D0506120475;
 Fri, 12 Aug 2022 17:41:01 -0400 (EDT)
In-Reply-To: <86y1vul261.fsf@gmail.com> (Tim Cross's message of "Fri, 12 Aug
 2022 10:29:22 +1000")
Received-SPF: pass client-ip=132.204.25.50;
 envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca
X-Spam_score_int: -42
X-Spam_score: -4.3
X-Spam_bar: ----
X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:293394
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/293394>

> - There are actually very few security issues reported for Elisp
>   packages.  This doesn't mean there aren't any, only that they are
>   discovered and reported very rarely.

Agreed.
And I suspect that security issues are much more common than are reported.
[ Lots of Emacs packages are written under the implicit assumption that the
  current buffer contains something mildly-trustworthy.  ]

> - It would require package maintainers to somehow flag that an update is
>   a security update rather than just a standard update. As it is already
>   somewhat challenging to get many package maintainers to include
>   consistent change logs in their packages, I suspect then also asking
>   them to distinguish security updates from normal updatges may be
>   asking too much.

I'm not sure it would be a big problem.  But I'm not sure it would be an
improvement either.  Especially because I suspect it might give the
false impression that the code of ELisp packages is somewhat
security-conscious, whereas in my experience, the vast majority of Emacs
packages isn't (they may end up secure by accident, of course).


        Stefan