From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: Re: Proposal for an Emacs User Survey Date: Fri, 16 Oct 2020 20:04:12 +0300 Message-ID: <20201016170412.GD11061@protected.rcdrun.com> References: <20201011125031.GC6784@odonien.localdomain> <20201012050418.GZ2923@protected.rcdrun.com> <20201013052736.GE31408@protected.rcdrun.com> <20201016130235.06218dae@argon> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="14214"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/1.14.0 (2020-05-02) Cc: Marcel Ventosa , Richard Stallman , emacs-devel To: Thibaut Verron Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Oct 16 19:09:34 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kTTEU-0003ZW-C1 for ged-emacs-devel@m.gmane-mx.org; Fri, 16 Oct 2020 19:09:34 +0200 Original-Received: from localhost ([::1]:35474 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kTTES-0001Mq-8o for ged-emacs-devel@m.gmane-mx.org; Fri, 16 Oct 2020 13:09:32 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:34090) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kTTDH-0000SZ-7P for emacs-devel@gnu.org; Fri, 16 Oct 2020 13:08:20 -0400 Original-Received: from static.rcdrun.com ([95.85.24.50]:36835) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kTTDF-0006rO-2O; Fri, 16 Oct 2020 13:08:18 -0400 Original-Received: from localhost ([::ffff:41.202.241.58]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002A0B3E.000000005F89D37E.00005926; Fri, 16 Oct 2020 17:08:13 +0000 Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/16 12:33:49 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:257836 Archived-At: * Thibaut Verron [2020-10-16 09:53]: > Le ven. 16 oct. 2020 à 08:03, Marcel Ventosa a écrit : > > > > On Thu, 15 Oct 2020 23:59:07 -0400 > > Richard Stallman wrote: > > > > > I hope that only a minority of Emacs users know about MELPA, and I'd > > > rather not inform the rest about it. But if something is going to > > > inform them anyway, it is better to do it with a denunciation. > > > > > > I've been using Emacs (and MELPA) for the best part of a decade and > > knew nothing about this! I'm concerned to use only free software and > > actively avoid proprietary software, so this is a bit of a shock. > > As I understand it, Melpa packages cannot *be* or *install* non-free > software. But some will not work without such software, which can in > theory encourage users to install it. MELPA as such is definitely free software project with few freedom issues with some pakages and lax attitude on usage of proprietary information through Emacs. For example, I like that when I find definition in a dictionary, that I can freely include it in the instruction book, and not that I am chased with licenses not allowing me to include such information. MELPA does have a checklist for packages: Checklist Please confirm with x: The package is released under a GPL-Compatible Free Software License. [x ] I've read CONTRIBUTING.org [ x] I've used the latest version of package-lint to check for packaging issues, and addressed its feedback [ x] My elisp byte-compiles cleanly [ x] M-x checkdoc is happy with my docstrings [ x] I've built and installed the package using the instructions in CONTRIBUTING.org I have confirmed some of these without doing them Example: https://github.com/melpa/melpa/pull/6387 People and MELPA maintainer are verifying packages, but they do not possibly verify it each time. So it is prone to security issues at any time. Once package is accepted, they are not automatically verifying the package, so far I understand, packages are built in real time and offered to users in real time. Any account can be cracked and malicious code introduced at any time. Github is in general unsafe place for development as it is held by major company providing proprietary software, one never knows what are they up to.