* GNU ELPA security and Org-mode
@ 2017-04-06 15:04 Stefan Monnier
2018-04-28 11:19 ` Bastien
0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2017-04-06 15:04 UTC (permalink / raw)
To: emacs-devel
I just realized that the GPG-signing we're doing in GNU ELPA is
weaker for the org-mode packages than for all other:
All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from
http://orgmode.org/elpa.
So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).
Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git. This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,
tho).
Stefan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2017-04-06 15:04 GNU ELPA security and Org-mode Stefan Monnier
@ 2018-04-28 11:19 ` Bastien
2018-04-30 2:15 ` Stefan Monnier
0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-28 11:19 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Hi Stefan,
Stefan Monnier <monnier@iro.umontreal.ca> writes:
> So the org-mode package has weaker points:
> - uses http rather than https.
Just to mention that org is now available through https too:
~$ git clone https://code.orgmode.org/bzg/org-mode.git
Not sure if something remains to be done in this thread, but
if I can help let me know.
Best,
--
Bastien
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-28 11:19 ` Bastien
@ 2018-04-30 2:15 ` Stefan Monnier
2018-04-30 7:13 ` Bastien
0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 2:15 UTC (permalink / raw)
To: Bastien; +Cc: emacs-devel
>> So the org-mode package has weaker points:
>> - uses http rather than https.
> Just to mention that org is now available through https too:
> ~$ git clone https://code.orgmode.org/bzg/org-mode.git
We don't use the Git (currently), but yes, thanks for making an https
version available.
> Not sure if something remains to be done in this thread, but
> if I can help let me know.
Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
kept in a Git branch instead, that would be great.
Stefan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 2:15 ` Stefan Monnier
@ 2018-04-30 7:13 ` Bastien
2018-04-30 12:29 ` Stefan Monnier
0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 7:13 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Hi Stefan,
Stefan Monnier <monnier@IRO.UMontreal.CA> writes:
> Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
> kept in a Git branch instead, that would be great.
Not sure what you mean exactly by keeping the list of tarballs in a
Git branch. In which Git repository?
--
Bastien
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 7:13 ` Bastien
@ 2018-04-30 12:29 ` Stefan Monnier
2018-04-30 13:34 ` Bastien
0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 12:29 UTC (permalink / raw)
To: Bastien; +Cc: emacs-devel
>> Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
>> kept in a Git branch instead, that would be great.
> Not sure what you mean exactly by keeping the list of tarballs in a
> Git branch.
Just that instead of having a bunch of tarballs in a directory (where
each tarball corresponds to a particular tree of files), I'd much rather
have a Git branch (where each revision holds a corresponding tree of
files).
> In which Git repository?
Doesn't matter which (tho, ideally, it should be elpa.git, and the
branch should be named "externals/org").
Stefan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 12:29 ` Stefan Monnier
@ 2018-04-30 13:34 ` Bastien
2018-04-30 13:42 ` Stefan Monnier
0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 13:34 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Hi Stefan,
Stefan Monnier <monnier@IRO.UMontreal.CA> writes:
> Doesn't matter which (tho, ideally, it should be elpa.git, and the
> branch should be named "externals/org").
To summarise:
- I create a branch on elpa.git called "externals/org".
- I create the "elpa/packages/org" directory in this branch.
- I copy the content of an Org ELPA archive (eg org-20180430.tar)
into this directory, with org-{version|pkg|loaddefs}.el files.
- I commit and publish this "externals/org" branch on the public
elpa.git repository.
Is that so?
--
Bastien
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 13:34 ` Bastien
@ 2018-04-30 13:42 ` Stefan Monnier
2018-04-30 13:52 ` Stefan Monnier
2018-04-30 13:55 ` Bastien
0 siblings, 2 replies; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 13:42 UTC (permalink / raw)
To: Bastien; +Cc: emacs-devel
> - I create a branch on elpa.git called "externals/org".
Right.
> - I create the "elpa/packages/org" directory in this branch.
No. It should contain the same files with the same names as the
tarball would.
> - I copy the content of an Org ELPA archive (eg org-20180430.tar)
> into this directory, with org-{version|pkg|loaddefs}.el files.
Yes, except for org-pkg.el (the corresponding info should be in org.el
instead).
> - I commit and publish this "externals/org" branch on the public
> elpa.git repository.
> Is that so?
Yup,
Stefan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 13:42 ` Stefan Monnier
@ 2018-04-30 13:52 ` Stefan Monnier
2018-04-30 13:55 ` Bastien
1 sibling, 0 replies; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 13:52 UTC (permalink / raw)
To: emacs-devel
>> - I create a branch on elpa.git called "externals/org".
> Right.
To clarify, this is not a branch of the `master` branch of elpa.git.
It's rather a brand new empty branch (or maybe a branch taken from
org.git/master).
Stefan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 13:42 ` Stefan Monnier
2018-04-30 13:52 ` Stefan Monnier
@ 2018-04-30 13:55 ` Bastien
2018-04-30 14:00 ` Stefan Monnier
2018-04-30 14:10 ` Bastien
1 sibling, 2 replies; 18+ messages in thread
From: Bastien @ 2018-04-30 13:55 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Thanks for the feedback.
Stefan Monnier <monnier@IRO.UMontreal.CA> writes:
>> - I create the "elpa/packages/org" directory in this branch.
>
> No. It should contain the same files with the same names as the
> tarball would.
Not sure here.
Do you mean elpa.git should contain
elpa/packages/org-20180430/org.el
elpa/packages/org-20180430/org-table.el
etc.?
>> - I copy the content of an Org ELPA archive (eg org-20180430.tar)
>> into this directory, with org-{version|pkg|loaddefs}.el files.
>
> Yes, except for org-pkg.el (the corresponding info should be in org.el
> instead).
Because org-pkg.el is generated by elpa/GNUmakefile, right?
If so, why adding org-loaddefs.el since org-autoloads.el would also be
autogenerated?
And would org-version.el still be required?
Or the package version would just be extracted from the org.el
"Version: 9.1.12" keyword?
If possible, I'd like to not add org-loaddefs.el and org-version.el
and have org-autoloads.el and the package version autogenerated like
for any other package.
--
Bastien
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 13:55 ` Bastien
@ 2018-04-30 14:00 ` Stefan Monnier
2018-04-30 14:07 ` Bastien
2018-04-30 14:10 ` Bastien
1 sibling, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 14:00 UTC (permalink / raw)
To: emacs-devel
>>> - I create the "elpa/packages/org" directory in this branch.
>> No. It should contain the same files with the same names as the
>> tarball would.
> Not sure here.
> Do you mean elpa.git should contain
> elpa/packages/org-20180430/org.el
> elpa/packages/org-20180430/org-table.el
No:
% cd .../elpa; git checkout externals/org; ls
should show something like
org.el
org-agenda.el
...
-- Stefan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 14:00 ` Stefan Monnier
@ 2018-04-30 14:07 ` Bastien
2018-04-30 16:37 ` Stefan Monnier
0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 14:07 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Stefan Monnier <monnier@iro.umontreal.ca> writes:
>>>> - I create the "elpa/packages/org" directory in this branch.
>>> No. It should contain the same files with the same names as the
>>> tarball would.
>> Not sure here.
>> Do you mean elpa.git should contain
>> elpa/packages/org-20180430/org.el
>> elpa/packages/org-20180430/org-table.el
>
> No:
>
> % cd .../elpa; git checkout externals/org; ls
>
> should show something like
>
> org.el
> org-agenda.el
> ...
Okay, thanks, will do this.
BTW, https://elpa.gnu.org seems down ATM.
--
Bastien
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 13:55 ` Bastien
2018-04-30 14:00 ` Stefan Monnier
@ 2018-04-30 14:10 ` Bastien
2018-04-30 14:18 ` Stefan Monnier
1 sibling, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 14:10 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Bastien <bzg@gnu.org> writes:
> If so, why adding org-loaddefs.el since org-autoloads.el would also be
> autogenerated?
>
> And would org-version.el still be required?
Just for this: shall I add org-version.el and org-loaddefs.el?
--
Bastien
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 14:10 ` Bastien
@ 2018-04-30 14:18 ` Stefan Monnier
2018-04-30 15:18 ` Bastien
0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 14:18 UTC (permalink / raw)
To: emacs-devel
>> If so, why adding org-loaddefs.el since org-autoloads.el would also be
>> autogenerated?
>> And would org-version.el still be required?
I don't really know precisely what those files are about, but to the
extent that they're specific to Org, I don't see any reason to treat
them differently from any other org*.el file here.
AFAIK org-loaddefs.el is supposed to only be loaded when org-mode is
activated, whereas org-autoloads.el is loaded at Emacs start up (so it
should mostly contain an autoload for `org-mode` itself).
The elpa.gnu.org scripts will not look for the package's version in
org-version.el but in org.el's "Version:" header, but presumably
org-version.el is used by Org, so it's probably still useful (tho Org
could be changed to look for the corresponding info in org.el's
"Version:" header as well).
Stefan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: GNU ELPA security and Org-mode
2018-04-30 14:18 ` Stefan Monnier
@ 2018-04-30 15:18 ` Bastien
2018-04-30 15:37 ` Stefan Monnier
0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 15:18 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Stefan Monnier <monnier@iro.umontreal.ca> writes:
>>> If so, why adding org-loaddefs.el since org-autoloads.el would also be
>>> autogenerated?
>>> And would org-version.el still be required?
>
> I don't really know precisely what those files are about, but to the
> extent that they're specific to Org, I don't see any reason to treat
> them differently from any other org*.el file here.
Okay.
> AFAIK org-loaddefs.el is supposed to only be loaded when org-mode is
> activated, whereas org-autoloads.el is loaded at Emacs start up (so it
> should mostly contain an autoload for `org-mode` itself).
Got it, thanks.
> The elpa.gnu.org scripts will not look for the package's version in
> org-version.el but in org.el's "Version:" header, but presumably
> org-version.el is used by Org, so it's probably still useful (tho Org
> could be changed to look for the corresponding info in org.el's
> "Version:" header as well).
Yes, that's another topic.
Do you have an example of a package where M-x [package]-version RET
looks for the version in the Version: header?
--
Bastien
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2018-05-01 8:07 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-06 15:04 GNU ELPA security and Org-mode Stefan Monnier
2018-04-28 11:19 ` Bastien
2018-04-30 2:15 ` Stefan Monnier
2018-04-30 7:13 ` Bastien
2018-04-30 12:29 ` Stefan Monnier
2018-04-30 13:34 ` Bastien
2018-04-30 13:42 ` Stefan Monnier
2018-04-30 13:52 ` Stefan Monnier
2018-04-30 13:55 ` Bastien
2018-04-30 14:00 ` Stefan Monnier
2018-04-30 14:07 ` Bastien
2018-04-30 16:37 ` Stefan Monnier
2018-05-01 8:07 ` Bastien
2018-04-30 14:10 ` Bastien
2018-04-30 14:18 ` Stefan Monnier
2018-04-30 15:18 ` Bastien
2018-04-30 15:37 ` Stefan Monnier
2018-05-01 8:07 ` Bastien
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).