From: Matthias Dahl <ml_emacs-lists@binary-island.eu>
To: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: emacs-devel@gnu.org
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Wed, 25 Sep 2013 10:11:41 +0200 [thread overview]
Message-ID: <52429ABD.6090603@binary-island.eu> (raw)
In-Reply-To: <jwvy56n7hsj.fsf-monnier+emacs@gnu.org>
Hello Stefan...
> The current state, AFAIK is that we decided that ELPA servers should
> put *.gpg signatures alongside their tarballs and other files, signed
> with an "archive" key. This signature can be used to check that the
> package you get indeed comes from that archive.
Which is absolutely fabulous and will make it harder to temper with
packages on one of the package repositories. Suffice to say, this won't
do anything for preventing malicious code from (a hacked) upstream
slipping through -- and this approach is not feasible for MELPA which is
becoming (afaict) more and more popular these days.
> Not gonna happen, indeed. It doesn't happen for Debian either, FWIW, so
> it's usually not considered as a very major problem.
The situation with Debian (and any other well maintained distro) is a
bit different, imho. There are dedicated distro maintainers taking care
of their packages and some distros also have a QA procedure. There are
usually just more eyes watching and testing. Also, a lot of those
upstream projects have a team of people working on their project which
will make tempering on a decent dvcs easier to spot.
In the Emacs ecosystem, people take code from the wiki or from any of
the package repositories, knowing nothing about usually the single
person who wrote said package... especially nothing about how security
of their accounts is handled in terms of passwords, pubkeys and
whatever. So a github could get hacked, malicious code placed without
the maintainer even noticing for a very long period because he just
moved on. And so on...
Granted, those are all absolutely worst-case scenarios and one could
argue for days about how likely and relevant such incidents really are.
But apart from that, there is naturally also the other side: Security
leaks due to bad code caused simply by inexperience which could be
exploited.
> Sandboxing could be an interesting direction, but it seems very
> difficult: not only it'll be a non-trivial amount of implementation
> work, but even just designing it will be difficult, due to the current
> nature of Emacs's design where everything is global and shared.
I've been thinking about this really hard as well. And I've to admit,
I'm not (at least not yet) an Emacs/elisp expert. But not every package
needs to overwrite some core functions.
One idea thrown into discussion: We could differentiate between core and
non-core functions. This would allow the introduction of a new
permission like "re-define core function"... which naturally is like
granting a program root access.
A core function could be, imho, any function that comes bundled with
Emacs when it starts up - possibly including init.el and the user's
modifications. If the user decides to load packages on his own, we could
provide a new argument to load-file to pass a permission context in.
And naturally, to avoid any priviledge escalation, we'd only allow
permission narrowing and never widening. But I already touched that in
my last mail.
I agree, such a "sandbox" project would be quite an endeavour to take on
and would require a great deal of careful designing and implementing.
The question is this: Would there be any interest and motivation from
the current dev community to drive such an endeavour? Because otherwise
such a project would be doomed to fail, imho.
Sorry for my late reply, by the way. I am currently fighting a nasty
kind of human virus. I already tried putting my hand on the CPU and
running an anti-virus scanner which surprisingly did not work. ;-)
So long,
Matthias
--
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
services: custom software [desktop, mobile, web], server administration
next prev parent reply other threads:[~2013-09-25 8:11 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-23 7:30 security of the emacs package system, elpa, melpa and marmalade Matthias Dahl
2013-09-23 14:17 ` Stefan Monnier
2013-09-25 8:11 ` Matthias Dahl [this message]
2013-09-25 17:00 ` Stefan Monnier
2013-09-25 18:31 ` Matthias Dahl
2013-09-25 22:42 ` Bastien
2013-09-26 9:02 ` Matthias Dahl
2013-09-27 14:02 ` Bastien
2013-09-27 14:17 ` Matthias Dahl
2013-09-27 14:19 ` Bastien
2013-09-27 18:29 ` Matthias Dahl
2013-09-26 1:09 ` Stefan Monnier
2013-09-26 9:02 ` Matthias Dahl
2013-09-26 9:21 ` Óscar Fuentes
2013-09-26 14:41 ` Stefan Monnier
2013-09-27 14:17 ` Matthias Dahl
2013-09-27 15:47 ` Stefan Monnier
2013-09-28 14:15 ` Richard Stallman
2013-09-30 15:12 ` Matthias Dahl
2013-09-30 21:11 ` Richard Stallman
2013-09-30 15:31 ` Matthias Dahl
2013-09-26 1:12 ` Stephen J. Turnbull
2013-09-26 9:02 ` Matthias Dahl
2013-09-27 7:10 ` Stephen J. Turnbull
2013-09-27 14:18 ` Matthias Dahl
2013-09-27 17:31 ` Stephen J. Turnbull
2013-09-30 15:25 ` Matthias Dahl
2013-10-01 2:19 ` Stephen J. Turnbull
2013-09-27 20:12 ` chad
2013-09-26 9:31 ` Andreas Röhler
2013-09-26 16:25 ` Richard Stallman
2013-09-27 14:18 ` Matthias Dahl
2013-09-27 15:04 ` Óscar Fuentes
2014-09-13 17:57 ` Thomas Koch
2013-09-29 10:12 ` Ted Zlatanov
2013-09-29 9:53 ` Ted Zlatanov
2013-09-29 17:49 ` Daiki Ueno
2013-09-29 18:18 ` Ted Zlatanov
2013-09-30 13:25 ` Ted Zlatanov
2013-09-30 14:50 ` Stephen J. Turnbull
2013-09-30 15:10 ` Matthias Dahl
2013-09-30 17:18 ` Ted Zlatanov
2013-10-01 14:03 ` Matthias Dahl
2013-10-02 2:45 ` Stephen J. Turnbull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52429ABD.6090603@binary-island.eu \
--to=ml_emacs-lists@binary-island.eu \
--cc=emacs-devel@gnu.org \
--cc=monnier@iro.umontreal.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.