From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Nic Ferrier Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Sun, 09 Dec 2012 21:00:30 +0000 Message-ID: <877gorhrf5.fsf@ferrier.me.uk> References: <8738zf70ep.fsf@riseup.net> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1355087115 24442 80.91.229.3 (9 Dec 2012 21:05:15 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 9 Dec 2012 21:05:15 +0000 (UTC) Cc: emacs-devel@gnu.org To: George Kadianakis Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Dec 09 22:05:26 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tho3w-0000ly-SV for ged-emacs-devel@m.gmane.org; Sun, 09 Dec 2012 22:05:24 +0100 Original-Received: from localhost ([::1]:35867 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tho3k-0004XT-FN for ged-emacs-devel@m.gmane.org; Sun, 09 Dec 2012 16:05:12 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:36066) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Tho3h-0004XL-AP for emacs-devel@gnu.org; Sun, 09 Dec 2012 16:05:11 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Tho3b-0006MI-Cy for emacs-devel@gnu.org; Sun, 09 Dec 2012 16:05:09 -0500 Original-Received: from static.17.66.46.78.clients.your-server.de ([78.46.66.17]:53129 helo=po1.ferrier.me.uk) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ThnzG-0005FC-Cc for emacs-devel@gnu.org; Sun, 09 Dec 2012 16:00:34 -0500 Original-Received: from nferrier (140.35.155.90.in-addr.arpa [90.155.35.140]) by po1.ferrier.me.uk (Postfix) with ESMTP id 1CEEDAC1374; Sun, 9 Dec 2012 22:01:52 +0100 (CET) Original-Received: from nferrier (localhost [127.0.0.1]) by nferrier (Postfix) with ESMTP id 2C79D1600B7; Sun, 9 Dec 2012 21:00:30 +0000 (GMT) In-Reply-To: <8738zf70ep.fsf@riseup.net> (George Kadianakis's message of "Sun, 09 Dec 2012 16:41:50 +0200") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 78.46.66.17 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:155406 Archived-At: George Kadianakis writes: > I've been looking into ELPA (the Emacs Lisp Package Archive) and I > noticed that package.el provides no security of any kind. It doesn't > do signatures, SSL, timestamps or anything. > > Are you actually considering deploying a system that downloads > untrusted code from the Internet every time a user asks for a new > package or asks to upgrade his current packages? > > Package management is serious business [0]. It's sad to see ELPA > approaching the problem so insecurely. > > Can't you at the very least, enable HTTPS on tromey.com and pin its > public key on package.el? 1. you're right! it isn't very secure. a few of us have been grumbling about this for a while. 2. it's free software! you don't have to use it! 3. it's free software! you can fix it with patches! 4. marmalade repo is a free software package repository (an additional repository to ELPA) which I maintain. I would welcome patches! https://github.com/nicferrier/marmalade 5. tromey.com should not be used anymore, it's elpa.gnu.org now. Nic Ferrier