From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Robert Thorpe Newsgroups: gmane.emacs.help Subject: Re: Sv: Install orgmode using its git repository. Date: Tue, 29 Dec 2020 21:39:22 +0000 Message-ID: <877dp047hx.fsf@robertthorpeconsulting.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="14933"; mail-complaints-to="usenet@ciao.gmane.io" To: arthur miller , help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Tue Dec 29 22:40:17 2020 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kuMj3-0003mX-5H for geh-help-gnu-emacs@m.gmane-mx.org; Tue, 29 Dec 2020 22:40:17 +0100 Original-Received: from localhost ([::1]:50006 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kuMj2-0003C8-8T for geh-help-gnu-emacs@m.gmane-mx.org; Tue, 29 Dec 2020 16:40:16 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:39564) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kuMih-0003C1-Jj for help-gnu-emacs@gnu.org; Tue, 29 Dec 2020 16:39:55 -0500 Original-Received: from outbound-smtp38.blacknight.com ([46.22.139.221]:42173) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kuMie-0001hM-Pk for help-gnu-emacs@gnu.org; Tue, 29 Dec 2020 16:39:55 -0500 Original-Received: from mail.blacknight.com (pemlinmail04.blacknight.ie [81.17.254.17]) by outbound-smtp38.blacknight.com (Postfix) with ESMTPS id 5F9BB17A9 for ; Tue, 29 Dec 2020 21:39:49 +0000 (GMT) Original-Received: (qmail 27369 invoked from network); 29 Dec 2020 21:39:49 -0000 Original-Received: from unknown (HELO rt-inspiron-3480) (rt@robertthorpeconsulting.com@[109.76.74.4]) by 81.17.254.9 with ESMTPSA (AES256-SHA encrypted, authenticated); 29 Dec 2020 21:39:49 -0000 In-Reply-To: (message from arthur miller on Tue, 29 Dec 2020 17:16:29 +0000) Received-SPF: pass client-ip=46.22.139.221; envelope-from=rt@robertthorpeconsulting.com; helo=outbound-smtp38.blacknight.com X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:126906 Archived-At: For what it's worth, I agree with Arthur. I'd point out that this sort of thing has happened before. A Python package called "Colourama" was found to be manipulating bitcoin addresses. When you put a bitcoin address into the clipboard it would intercept it and replace it with a different one. Notice the British spelling, the legitimate package was called "Colorama". The "Colourama" package was a minor derivative with the bitcoin address trick added in. Something similar happened to the NPM Javascript library. We also have to remember that there's the possibility of people hacking things like github. Or obtaining the credentials of github users and their signing keys. The recent problems at the US DoD were caused by Solarwinds software. The hackers got into the Solarwinds source code repository (due to very lax security, github & gitlab are probably better). Once in the repository they made a few changes to the sourcecode to introduce a backdoor. As a result, I'm fairly wary of this idea of automatic downloading. On the other hand, for many packages it's hardly practical to read the whole sourcecode no matter how you obtain it. BR, Robert Thorpe arthur miller writes: > I won't say anything about nix; it probably is very good and flexible sys= tem. I am also sure containers (docker, kubernetes etc) could be utilized t= o sandbox Emacs and what not. But I don't think it should not be mandatory.= Emacs should run safe on bare metal. > > However it is all personal. People can do whatever they want with their c= omputers, and there are already solutions that integrate random github repo= s: quelpa and straight. But it is still individuals own initiative to use t= hose. I don't Emacs should have that built in. > > In my opinion it opens for more security risks then needed, and also for = possibility to very easy distribute binary blobs not compatible with GPL. I= t is not very difficult to get in those in Emacs now either, but at least i= t takes individual's own actions and is not automated from Emacs out of the= box. > > > -------- Originalmeddelande -------- > Fr=C3=A5n: Leo Butler > Datum: 2020-12-29 16:49 (GMT+01:00) > Till: help-gnu-emacs > =C3=84mne: Re: Sv: Install orgmode using its git repository. > > arthur miller writes: > >> N=C3=B6je of that you write is particularly adequate "addressing" of pot= ential security vulnerability that let's potential malicious code 1) instal= l anything on your machine 2) steal your data 3) destroy your data. >> >> Maybe a virtual machine, but then you wouldn't be running your Emacs for= anything sensitive or serious. > > Actually, *nix systems have a very good way to handle these kinds of > threats without resort to such devices: users and groups. One can create > a user account with very limited privileges for working with unvetted > code, data, etc. > > Actually, I do this for developing new code, too. That way, whatever I > break/change is contained within the confines of that account. > >> >> A reviewed package from elpa/helps gives at least some guarantee that yo= u are not getting binary blobs and/or directly malicious code installed on = your machine. > > Leo > > >> >> >> -------- Originalmeddelande -------- >> Fr=C3=A5n: David Masterson >> Datum: 2020-12-28 22:44 (GMT+01:00) >> Till: arthur miller >> Kopia: Hongyi Zhao , Stefan Monnier , help-gnu-emacs >> =C3=84mne: Re: Sv: Install orgmode using its git repository. >> >> arthur miller writes: >> >>> I don't think it is very safe practice to install random Joe's code >>> directly from some git repo. We have not yet seen malicious code (not >>> what I know) in Emacs community, but Emacs in that respect is as bad >>> as MS Office from time when VBA scripts (and viruses) were shared >>> wildly around, or a web browserwith JS that can do anything. Remember >>> time when JS was off by default in all browsers? Elisp can do >>> whatever on your computer, so you should be careful what you >>> install. Installing from random git repos can open you for more >>> security problems then needed. I do clone lots from gitlab/github, but >>> I always look at the code myself before I ever run it. >>> >>> Another point is that installing from git and different branches as it >>> is possible with straight.el or quelpa (is what OP actually wants) can >>> eventually lead to incompatibility between code that might be much >>> harder to detect. I personally don't want to bother with latest-latest >>> of all latest because eventually it could become a spagheti code of >>> possible incompatibility and clashes. >> >> You can address these points in multiple ways: >> >> 1. A good backup and restore strategy >> 2. Virtual machines (ie a chromebook) >> 3. prioritize (m)elpa-stable over (m)elpa >> 4. el-get can get particular version from git >> ... >> >> -- >> David Masterson