From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Thomas Koch Newsgroups: gmane.emacs.devel Subject: Re: security of the emacs package system, elpa, melpa and marmalade Date: Sat, 13 Sep 2014 19:57:15 +0200 Message-ID: <201409131957.16399.thomas@koch.ro> References: <523FEE1B.9020408@binary-island.eu> <5245939B.9080305@binary-island.eu> <877ge29ug8.fsf@wanadoo.es> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1410631086 14908 80.91.229.3 (13 Sep 2014 17:58:06 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 13 Sep 2014 17:58:06 +0000 (UTC) Cc: =?iso-8859-1?q?=D3scar_Fuentes?= To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Sep 13 19:57:59 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XSra7-00029k-IR for ged-emacs-devel@m.gmane.org; Sat, 13 Sep 2014 19:57:55 +0200 Original-Received: from localhost ([::1]:51231 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XSra7-0002V5-5w for ged-emacs-devel@m.gmane.org; Sat, 13 Sep 2014 13:57:55 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57599) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XSrZo-0002U2-J4 for emacs-devel@gnu.org; Sat, 13 Sep 2014 13:57:44 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XSrZh-0005LB-48 for emacs-devel@gnu.org; Sat, 13 Sep 2014 13:57:36 -0400 Original-Received: from koch.ro ([88.198.2.104]:33499) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XSrZg-0005Kt-UO for emacs-devel@gnu.org; Sat, 13 Sep 2014 13:57:29 -0400 Original-Received: from 26-88.5-85.cust.bluewin.ch ([85.5.88.26] helo=x121eofhwr1202.localnet) by koch.ro with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1XSrZZ-0006X7-Rr; Sat, 13 Sep 2014 19:57:22 +0200 User-Agent: KMail/1.13.7 (Linux/3.14-0.bpo.2-amd64; KDE/4.8.4; x86_64; ; ) In-Reply-To: <877ge29ug8.fsf@wanadoo.es> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 88.198.2.104 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:174275 Archived-At: On Friday, September 27, 2013 05:04:55 PM =D3scar Fuentes wrote: > I don't think that comparing Emacs to a web browses used by tens of > millions is fair. The later is a major attack target/vector for any > crook, while Emacs is mostly uninteresting. No matter all the effort the > Mozilla guys put on security, it is their web browser the real security > threat on your system, not Emacs. If I'd have criminal interest and the possibility to distribute malicious l= isp=20 code to a few hundert emacs users I'd: =2D collect all private ssh and gpg keys found in the victims homedir and a= ccess=20 data to their email accounts =2D replace my attack lisp code with legitimate code after it has done its = work =2D sell the collected data to interested parties I know that there are a lot of emacs users that are system administrators o= f=20 interesting targets. Regards, Thomas Koch