unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* GNU ELPA security and Org-mode
@ 2017-04-06 15:04 Stefan Monnier
  2018-04-28 11:19 ` Bastien
  0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2017-04-06 15:04 UTC (permalink / raw)
  To: emacs-devel

I just realized that the GPG-signing we're doing in GNU ELPA is
weaker for the org-mode packages than for all other:

All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from
http://orgmode.org/elpa.

So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
  but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).

Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git.  This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,
tho).


        Stefan




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2017-04-06 15:04 GNU ELPA security and Org-mode Stefan Monnier
@ 2018-04-28 11:19 ` Bastien
  2018-04-30  2:15   ` Stefan Monnier
  0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-28 11:19 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Hi Stefan,

Stefan Monnier <monnier@iro.umontreal.ca> writes:

> So the org-mode package has weaker points:
> - uses http rather than https.

Just to mention that org is now available through https too:

 ~$ git clone https://code.orgmode.org/bzg/org-mode.git

Not sure if something remains to be done in this thread, but
if I can help let me know.

Best,

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-28 11:19 ` Bastien
@ 2018-04-30  2:15   ` Stefan Monnier
  2018-04-30  7:13     ` Bastien
  0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30  2:15 UTC (permalink / raw)
  To: Bastien; +Cc: emacs-devel

>> So the org-mode package has weaker points:
>> - uses http rather than https.
> Just to mention that org is now available through https too:
>  ~$ git clone https://code.orgmode.org/bzg/org-mode.git

We don't use the Git (currently), but yes, thanks for making an https
version available.

> Not sure if something remains to be done in this thread, but
> if I can help let me know.

Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
kept in a Git branch instead, that would be great.


        Stefan



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30  2:15   ` Stefan Monnier
@ 2018-04-30  7:13     ` Bastien
  2018-04-30 12:29       ` Stefan Monnier
  0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30  7:13 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Hi Stefan,

Stefan Monnier <monnier@IRO.UMontreal.CA> writes:

> Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
> kept in a Git branch instead, that would be great.

Not sure what you mean exactly by keeping the list of tarballs in a
Git branch.  In which Git repository?

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30  7:13     ` Bastien
@ 2018-04-30 12:29       ` Stefan Monnier
  2018-04-30 13:34         ` Bastien
  0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 12:29 UTC (permalink / raw)
  To: Bastien; +Cc: emacs-devel

>> Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
>> kept in a Git branch instead, that would be great.
> Not sure what you mean exactly by keeping the list of tarballs in a
> Git branch.

Just that instead of having a bunch of tarballs in a directory (where
each tarball corresponds to a particular tree of files), I'd much rather
have a Git branch (where each revision holds a corresponding tree of
files).

> In which Git repository?

Doesn't matter which (tho, ideally, it should be elpa.git, and the
branch should be named "externals/org").


        Stefan



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 12:29       ` Stefan Monnier
@ 2018-04-30 13:34         ` Bastien
  2018-04-30 13:42           ` Stefan Monnier
  0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 13:34 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Hi Stefan,

Stefan Monnier <monnier@IRO.UMontreal.CA> writes:

> Doesn't matter which (tho, ideally, it should be elpa.git, and the
> branch should be named "externals/org").

To summarise:

- I create a branch on elpa.git called "externals/org".

- I create the "elpa/packages/org" directory in this branch.

- I copy the content of an Org ELPA archive (eg org-20180430.tar)
  into this directory, with org-{version|pkg|loaddefs}.el files.

- I commit and publish this "externals/org" branch on the public
  elpa.git repository.

Is that so?

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 13:34         ` Bastien
@ 2018-04-30 13:42           ` Stefan Monnier
  2018-04-30 13:52             ` Stefan Monnier
  2018-04-30 13:55             ` Bastien
  0 siblings, 2 replies; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 13:42 UTC (permalink / raw)
  To: Bastien; +Cc: emacs-devel

> - I create a branch on elpa.git called "externals/org".

Right.

> - I create the "elpa/packages/org" directory in this branch.

No.  It should contain the same files with the same names as the
tarball would.

> - I copy the content of an Org ELPA archive (eg org-20180430.tar)
>   into this directory, with org-{version|pkg|loaddefs}.el files.

Yes, except for org-pkg.el (the corresponding info should be in org.el
instead).

> - I commit and publish this "externals/org" branch on the public
>   elpa.git repository.
> Is that so?

Yup,


        Stefan



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 13:42           ` Stefan Monnier
@ 2018-04-30 13:52             ` Stefan Monnier
  2018-04-30 13:55             ` Bastien
  1 sibling, 0 replies; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 13:52 UTC (permalink / raw)
  To: emacs-devel

>> - I create a branch on elpa.git called "externals/org".
> Right.

To clarify, this is not a branch of the `master` branch of elpa.git.
It's rather a brand new empty branch (or maybe a branch taken from
org.git/master).


        Stefan




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 13:42           ` Stefan Monnier
  2018-04-30 13:52             ` Stefan Monnier
@ 2018-04-30 13:55             ` Bastien
  2018-04-30 14:00               ` Stefan Monnier
  2018-04-30 14:10               ` Bastien
  1 sibling, 2 replies; 18+ messages in thread
From: Bastien @ 2018-04-30 13:55 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Thanks for the feedback.

Stefan Monnier <monnier@IRO.UMontreal.CA> writes:

>> - I create the "elpa/packages/org" directory in this branch.
>
> No.  It should contain the same files with the same names as the
> tarball would.

Not sure here.

Do you mean elpa.git should contain

elpa/packages/org-20180430/org.el
elpa/packages/org-20180430/org-table.el

etc.?

>> - I copy the content of an Org ELPA archive (eg org-20180430.tar)
>>   into this directory, with org-{version|pkg|loaddefs}.el files.
>
> Yes, except for org-pkg.el (the corresponding info should be in org.el
> instead).

Because org-pkg.el is generated by elpa/GNUmakefile, right?

If so, why adding org-loaddefs.el since org-autoloads.el would also be
autogenerated?

And would org-version.el still be required?

Or the package version would just be extracted from the org.el
"Version: 9.1.12" keyword?

If possible, I'd like to not add org-loaddefs.el and org-version.el
and have org-autoloads.el and the package version autogenerated like
for any other package.

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 13:55             ` Bastien
@ 2018-04-30 14:00               ` Stefan Monnier
  2018-04-30 14:07                 ` Bastien
  2018-04-30 14:10               ` Bastien
  1 sibling, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 14:00 UTC (permalink / raw)
  To: emacs-devel

>>> - I create the "elpa/packages/org" directory in this branch.
>> No.  It should contain the same files with the same names as the
>> tarball would.
> Not sure here.
> Do you mean elpa.git should contain
> elpa/packages/org-20180430/org.el
> elpa/packages/org-20180430/org-table.el

No:

   % cd .../elpa; git checkout externals/org; ls

should show something like

   org.el
   org-agenda.el
   ...
   

-- Stefan




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 14:00               ` Stefan Monnier
@ 2018-04-30 14:07                 ` Bastien
  2018-04-30 16:37                   ` Stefan Monnier
  0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 14:07 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>>>> - I create the "elpa/packages/org" directory in this branch.
>>> No.  It should contain the same files with the same names as the
>>> tarball would.
>> Not sure here.
>> Do you mean elpa.git should contain
>> elpa/packages/org-20180430/org.el
>> elpa/packages/org-20180430/org-table.el
>
> No:
>
>    % cd .../elpa; git checkout externals/org; ls
>
> should show something like
>
>    org.el
>    org-agenda.el
>    ...

Okay, thanks, will do this.

BTW, https://elpa.gnu.org seems down ATM.

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 13:55             ` Bastien
  2018-04-30 14:00               ` Stefan Monnier
@ 2018-04-30 14:10               ` Bastien
  2018-04-30 14:18                 ` Stefan Monnier
  1 sibling, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 14:10 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Bastien <bzg@gnu.org> writes:

> If so, why adding org-loaddefs.el since org-autoloads.el would also be
> autogenerated?
>
> And would org-version.el still be required?

Just for this: shall I add org-version.el and org-loaddefs.el?

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 14:10               ` Bastien
@ 2018-04-30 14:18                 ` Stefan Monnier
  2018-04-30 15:18                   ` Bastien
  0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 14:18 UTC (permalink / raw)
  To: emacs-devel

>> If so, why adding org-loaddefs.el since org-autoloads.el would also be
>> autogenerated?
>> And would org-version.el still be required?

I don't really know precisely what those files are about, but to the
extent that they're specific to Org, I don't see any reason to treat
them differently from any other org*.el file here.

AFAIK org-loaddefs.el is supposed to only be loaded when org-mode is
activated, whereas org-autoloads.el is loaded at Emacs start up (so it
should mostly contain an autoload for `org-mode` itself).

The elpa.gnu.org scripts will not look for the package's version in
org-version.el but in org.el's "Version:" header, but presumably
org-version.el is used by Org, so it's probably still useful (tho Org
could be changed to look for the corresponding info in org.el's
"Version:" header as well).


        Stefan




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 14:18                 ` Stefan Monnier
@ 2018-04-30 15:18                   ` Bastien
  2018-04-30 15:37                     ` Stefan Monnier
  0 siblings, 1 reply; 18+ messages in thread
From: Bastien @ 2018-04-30 15:18 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>>> If so, why adding org-loaddefs.el since org-autoloads.el would also be
>>> autogenerated?
>>> And would org-version.el still be required?
>
> I don't really know precisely what those files are about, but to the
> extent that they're specific to Org, I don't see any reason to treat
> them differently from any other org*.el file here.

Okay.

> AFAIK org-loaddefs.el is supposed to only be loaded when org-mode is
> activated, whereas org-autoloads.el is loaded at Emacs start up (so it
> should mostly contain an autoload for `org-mode` itself).

Got it, thanks.

> The elpa.gnu.org scripts will not look for the package's version in
> org-version.el but in org.el's "Version:" header, but presumably
> org-version.el is used by Org, so it's probably still useful (tho Org
> could be changed to look for the corresponding info in org.el's
> "Version:" header as well).

Yes, that's another topic.

Do you have an example of a package where M-x [package]-version RET
looks for the version in the Version: header?

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 15:18                   ` Bastien
@ 2018-04-30 15:37                     ` Stefan Monnier
  2018-05-01  8:07                       ` Bastien
  0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 15:37 UTC (permalink / raw)
  To: emacs-devel

> Do you have an example of a package where M-x [package]-version RET
> looks for the version in the Version: header?

I did that in bbdb, yes (in elpa.git).


        Stefan




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 14:07                 ` Bastien
@ 2018-04-30 16:37                   ` Stefan Monnier
  2018-05-01  8:07                     ` Bastien
  0 siblings, 1 reply; 18+ messages in thread
From: Stefan Monnier @ 2018-04-30 16:37 UTC (permalink / raw)
  To: Bastien; +Cc: emacs-devel

> BTW, https://elpa.gnu.org seems down ATM.

You got unlucky: I was just performing a minor "aptitude upgrade" on it.


        Stefan



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 16:37                   ` Stefan Monnier
@ 2018-05-01  8:07                     ` Bastien
  0 siblings, 0 replies; 18+ messages in thread
From: Bastien @ 2018-05-01  8:07 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Stefan Monnier <monnier@IRO.UMontreal.CA> writes:

>> BTW, https://elpa.gnu.org seems down ATM.
>
> You got unlucky: I was just performing a minor "aptitude upgrade" on
> it.

No problem, it's working fine now, thanks.

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: GNU ELPA security and Org-mode
  2018-04-30 15:37                     ` Stefan Monnier
@ 2018-05-01  8:07                       ` Bastien
  0 siblings, 0 replies; 18+ messages in thread
From: Bastien @ 2018-05-01  8:07 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> Do you have an example of a package where M-x [package]-version RET
>> looks for the version in the Version: header?
>
> I did that in bbdb, yes (in elpa.git).

Thanks,

-- 
 Bastien



^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2018-05-01  8:07 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-06 15:04 GNU ELPA security and Org-mode Stefan Monnier
2018-04-28 11:19 ` Bastien
2018-04-30  2:15   ` Stefan Monnier
2018-04-30  7:13     ` Bastien
2018-04-30 12:29       ` Stefan Monnier
2018-04-30 13:34         ` Bastien
2018-04-30 13:42           ` Stefan Monnier
2018-04-30 13:52             ` Stefan Monnier
2018-04-30 13:55             ` Bastien
2018-04-30 14:00               ` Stefan Monnier
2018-04-30 14:07                 ` Bastien
2018-04-30 16:37                   ` Stefan Monnier
2018-05-01  8:07                     ` Bastien
2018-04-30 14:10               ` Bastien
2018-04-30 14:18                 ` Stefan Monnier
2018-04-30 15:18                   ` Bastien
2018-04-30 15:37                     ` Stefan Monnier
2018-05-01  8:07                       ` Bastien

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).