From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be
 installed directly from VCS
Date: Sat, 08 Oct 2022 12:35:27 -0400
Message-ID: <jwvh70e1dr4.fsf-monnier+emacs@gnu.org>
References: <164484721900.31751.1453162457552427931@vcs2.savannah.gnu.org>
 <20220214140020.04438C00891@vcs2.savannah.gnu.org>
 <jwvmtith2tu.fsf-monnier+emacs@gnu.org> <87bkqmqpvb.fsf@posteo.net>
 <871qris3xb.fsf@gnus.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="34292"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)
Cc: Philip Kaludercic <philipk@posteo.net>,  emacs-devel@gnu.org
To: Lars Ingebrigtsen <larsi@gnus.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 08 18:36:47 2022
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1ohCog-0008jG-U7
	for ged-emacs-devel@m.gmane-mx.org; Sat, 08 Oct 2022 18:36:47 +0200
Original-Received: from localhost ([::1]:41930 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1ohCof-0000IR-CP
	for ged-emacs-devel@m.gmane-mx.org; Sat, 08 Oct 2022 12:36:45 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:41344)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1ohCnV-0007uk-01
 for emacs-devel@gnu.org; Sat, 08 Oct 2022 12:35:33 -0400
Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:49422)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1ohCnS-0003aQ-NO
 for emacs-devel@gnu.org; Sat, 08 Oct 2022 12:35:32 -0400
Original-Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id AE28680758;
 Sat,  8 Oct 2022 12:35:29 -0400 (EDT)
Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 42E5980065;
 Sat,  8 Oct 2022 12:35:28 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1665246928;
 bh=yBdZen2B7S4ilZjoQTkIBs8ZGkPrHe1Lcp6qIH0EK2c=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=lffG0n2xs5VjUdoKoNRBzSfN54xrVPysoyfSOUJOjvVnGh2QvGx/LgVhMLvbEHW1Q
 mkc4l8dpif8rR5MWBdXDCD9skejK9tah8F7cngCu4JDz4wyqjVsetdYhWNthcV8Vj1
 FbrPyv91FT+jBO1PxquVoZrVrX8TvFBQm9Gmrbdz0vA/R0KbOyh9h4EuBFxg4W81Kd
 z7XGwjDFUkSgwP42R1oazuecm8WCAxddH0h6yI7/Z7DvXlEf+Ah0zNgZjdA7IgBHNE
 Ff7caA6qzbi/M9HuQuS+KSmp2USd4pM/pEBYGKsM2bBOfhl4QsNFjYAcffg38zXtHg
 bLIfRgWj+HhxQ==
Original-Received: from pastel (65-110-220-202.cpe.pppoe.ca [65.110.220.202])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 1A647120DE0;
 Sat,  8 Oct 2022 12:35:28 -0400 (EDT)
In-Reply-To: <871qris3xb.fsf@gnus.org> (Lars Ingebrigtsen's message of "Sat,
 08 Oct 2022 17:58:24 +0200")
Received-SPF: pass client-ip=132.204.25.50;
 envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca
X-Spam_score_int: -42
X-Spam_score: -4.3
X-Spam_bar: ----
X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:297209
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/297209>

> If we don't have such a list, then adding the basic functionality sounds
> useful anyway -- that is, allowing users to say `M-x
> package-install-from-repo' or something and then they type in the URL of
> that repo -- that's fine, and leaves the security implications to the
> user (where they already are today for people that install from external
> repos).

Indeed there are 2 different steps:
- installing from a particular "URL" (well, a URL plus some extra side
  info, tho that side info can be empty in many cases).  AFAIK that's
  what Philip's code currently offers.
- provide some way to let the user specify a package name and let
  something else map that to a "URL".  This is the more risky step and
  I don't think his code implements that yet.  Not sure how to address
  the security issue at that step, other than by dumping the problem
  onto the users: show them the URL and ask them if they're OK with it.

But as Philip points out, the (Non)GNU ELPA packages, while signed and
all, just blindly pull from those same URLs to build the tarballs, so
the difference is not as large as it seems.

> But if we list these repos in `M-x list-packages', that's a very
> different issue.

It also depends on where the list comes from.


        Stefan