all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* security of the emacs package system, elpa, melpa and marmalade
@ 2013-09-23  7:30 Matthias Dahl
  2013-09-23 14:17 ` Stefan Monnier
  0 siblings, 1 reply; 44+ messages in thread
From: Matthias Dahl @ 2013-09-23  7:30 UTC (permalink / raw)
  To: emacs-devel

Hello @all,

I know there has been a thread about (more or less) this topic sometime
last year, iirc. But I was unable to find something current, so I hope
it is okay to raise a few questions and ideas about this subject.

As it stands, most Emacs users I guess install quite a few packages from
various sources (git repo, elpa, melpa, ...) to mold Emacs to their very
specific needs and workflow. The same naturally goes for me.

Right now, the only way to make sure there is no malicious code hidden
in those packages, is to check each one manually during the initial
installation as well as for each update... which can be a very time
intensive task and not every person using Emacs is a Elisp guru and can
really spot each malicious code fragment. Especially since more and more
newer projects recommend installing their package through the package
management system (especially MELPA) which makes it even more easy to
install something without checking it first.

Signed packages on the package server (e.g. ELPA) make sense, if said
process is done externally and a security check is performed on the
package in question before signing. For MELPA this is an even harder
problem to solve, since it is fully automated and thus even signing the
package is out of the question since it would not add much of a value.

Nevertheless, I think this is a serious problem and a security incident
waiting to happen... it is just a matter of time, imho.

The best solution imho would be that each package on a package server,
no matter which one, is reviewed before being available either through a
dedicated staff of volunteers or through a more open process that makes
use of the user base somehow (which could be very difficult in terms of
trustworthiness). Unfortunately, I see this as something that needs
annual financial funding and hard for the Emacs community to achieve. I
might be wrong - and I'd like to be, honestly.

So, I'd like to propose the following as at least some measure of
protection and a first step in making the package system more secure: A
package gets a security context which details its very own permissions
just like e.g. an Android app. That context is permanent, meaning that
if a user action enters package 1 with a narrow permission set which in
turn utilizes some functions of a package 2 (which has a rather wide
permission set), only the original narrow permission set will be applied
and available. This makes the implementation easier and the system more
robust against possible workaround/exploits, imho.

There are a lot of packages that don't need access to the filesystem,
network and other security sensitive areas. If a package got hacked that
did not have those permissions in the first place, Emacs could detect a
violation, inform the user and end the execution.

Naturally, this also implies that the defined permissions should only be
alterable on the package server through an authoritative person and not
by the package itself. Also, if permissions changed, the user would
be informed by Emacs and ask for permission.

This would need a lot more detailing like what kind of permissions
should be defined (granularity, ...) and how. I'm just throwing my
thoughts into the community hive mind, very much hoping not to get
crushed fiercely. :)

Basically, all I want to achieve with this mail is to get a discussion
going about this topic which hopefully could lead to a more secure and
even better Emacs package system.

Sorry for the wall of text... and thanks for listening, um, reading. :)

-- 
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration



^ permalink raw reply	[flat|nested] 44+ messages in thread

end of thread, other threads:[~2014-09-13 17:57 UTC | newest]

Thread overview: 44+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-23  7:30 security of the emacs package system, elpa, melpa and marmalade Matthias Dahl
2013-09-23 14:17 ` Stefan Monnier
2013-09-25  8:11   ` Matthias Dahl
2013-09-25 17:00     ` Stefan Monnier
2013-09-25 18:31       ` Matthias Dahl
2013-09-25 22:42         ` Bastien
2013-09-26  9:02           ` Matthias Dahl
2013-09-27 14:02             ` Bastien
2013-09-27 14:17               ` Matthias Dahl
2013-09-27 14:19                 ` Bastien
2013-09-27 18:29                   ` Matthias Dahl
2013-09-26  1:09         ` Stefan Monnier
2013-09-26  9:02           ` Matthias Dahl
2013-09-26  9:21             ` Óscar Fuentes
2013-09-26 14:41             ` Stefan Monnier
2013-09-27 14:17               ` Matthias Dahl
2013-09-27 15:47                 ` Stefan Monnier
2013-09-28 14:15                   ` Richard Stallman
2013-09-30 15:12                     ` Matthias Dahl
2013-09-30 21:11                       ` Richard Stallman
2013-09-30 15:31                   ` Matthias Dahl
2013-09-26  1:12         ` Stephen J. Turnbull
2013-09-26  9:02           ` Matthias Dahl
2013-09-27  7:10             ` Stephen J. Turnbull
2013-09-27 14:18               ` Matthias Dahl
2013-09-27 17:31                 ` Stephen J. Turnbull
2013-09-30 15:25                   ` Matthias Dahl
2013-10-01  2:19                     ` Stephen J. Turnbull
2013-09-27 20:12                 ` chad
2013-09-26  9:31           ` Andreas Röhler
2013-09-26 16:25           ` Richard Stallman
2013-09-27 14:18             ` Matthias Dahl
2013-09-27 15:04               ` Óscar Fuentes
2014-09-13 17:57                 ` Thomas Koch
2013-09-29 10:12             ` Ted Zlatanov
2013-09-29  9:53   ` Ted Zlatanov
2013-09-29 17:49     ` Daiki Ueno
2013-09-29 18:18       ` Ted Zlatanov
2013-09-30 13:25         ` Ted Zlatanov
2013-09-30 14:50           ` Stephen J. Turnbull
2013-09-30 15:10     ` Matthias Dahl
2013-09-30 17:18       ` Ted Zlatanov
2013-10-01 14:03         ` Matthias Dahl
2013-10-02  2:45           ` Stephen J. Turnbull

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.