From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: Re: Proposal for an Emacs User Survey Date: Fri, 16 Oct 2020 21:57:10 +0300 Message-ID: <20201016185710.GH11061@protected.rcdrun.com> References: <20201012050418.GZ2923@protected.rcdrun.com> <20201013052736.GE31408@protected.rcdrun.com> <20201016130235.06218dae@argon> <20201016142436.187b8210@argon> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26090"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/1.14.0 (2020-05-02) Cc: Marcel Ventosa , Richard Stallman , emacs-devel To: Thibaut Verron Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Oct 16 21:00:06 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kTUxR-0006fW-Kg for ged-emacs-devel@m.gmane-mx.org; Fri, 16 Oct 2020 21:00:05 +0200 Original-Received: from localhost ([::1]:37296 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kTUxQ-0007gK-KL for ged-emacs-devel@m.gmane-mx.org; Fri, 16 Oct 2020 15:00:04 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58094) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kTUul-0006Ng-WB for emacs-devel@gnu.org; Fri, 16 Oct 2020 14:57:20 -0400 Original-Received: from static.rcdrun.com ([95.85.24.50]:42865) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kTUuj-00047E-Qi; Fri, 16 Oct 2020 14:57:19 -0400 Original-Received: from localhost ([::ffff:41.210.154.50]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002A0B3F.000000005F89ED0A.00006583; Fri, 16 Oct 2020 18:57:13 +0000 Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/16 12:33:49 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:257848 Archived-At: * Thibaut Verron [2020-10-16 10:54]: > I personally don't think many users install non-free software because > they saw it wrapped in a Melpa package. - helm-lastpass was downloaded 777 times - lastpass was downloaded 987 times 1 user guided to use non-free software is already many. - chatwork package was downloaded 1093 times > Taking the example of emacs-lastpass given above, I don't see how > anyone would even find this package without searching for it with the > keyword "lastpass". They can find it in the list, for majority of packages I did not search by keyword, I was just downloading, inspecting code for short time, and trying to use it. > The audience, rather, is users who are currently using Lastpass in > their browsers but are interested in bringing some of their online > activities to Emacs, but rely on their password manager to do so. That is not based on data, unless you have made opinion poll for that specific package. I am really thinking that some of users will download lastpass when they see there is Emacs package for lastpass I have been downloading like espeak or festival speech packages, which are free software, when I have seen there are Emacs packages for speech, in the same way users will be guided to proprietary software. MELPA is to ELPA what Archlinux and Debian is to Guix and other free software distributions. They do not explicitly warn users about proprietary software, even though I do not think MELPA is letting non-free software being distributed. > I absolutely support the fact that Melpa is not activated by default, > and that there should be a warning about the existence of those > packages everywhere possible. But I still consider that the value of > those packages outweigh their dangers, just like the win32 build of > Emacs. Proprietary software wrapped is security issue, and largest danger is lack of security as MELPA is not reviewing software updates, any time malicious code can be inserted which could affect thousands of users. Here is example when Gentoo Linux was cracked on Github: https://nakedsecurity.sophos.com/2018/06/29/linux-distro-hacked-on-github-all-code-considered-compromised/ Here is example when Linux Mint distribution was cracked: https://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/