From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gulshan Singh Newsgroups: gmane.emacs.help Subject: Should package.el support notifying on package security updates? Date: Tue, 12 Jul 2022 13:54:42 -0700 Message-ID: <87r12qm4q5.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="4147"; mail-complaints-to="usenet@ciao.gmane.io" To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Thu Jul 14 18:55:46 2022 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oC27u-0000uF-6S for geh-help-gnu-emacs@m.gmane-mx.org; Thu, 14 Jul 2022 18:55:46 +0200 Original-Received: from localhost ([::1]:50952 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oC27t-0007rg-1z for geh-help-gnu-emacs@m.gmane-mx.org; Thu, 14 Jul 2022 12:55:45 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58118) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oBMuA-0006mu-1q for help-gnu-emacs@gnu.org; Tue, 12 Jul 2022 16:54:50 -0400 Original-Received: from mail-pg1-x52d.google.com ([2607:f8b0:4864:20::52d]:44770) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oBMu8-0007HW-K4 for help-gnu-emacs@gnu.org; Tue, 12 Jul 2022 16:54:49 -0400 Original-Received: by mail-pg1-x52d.google.com with SMTP id bf13so8628308pgb.11 for ; Tue, 12 Jul 2022 13:54:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:mime-version; bh=8Bui+3PThMhbkIGhAiqHxYxhQHWIpqdlmB1nyVGR7OM=; b=GDfws5mcYCLf+VoRk3rerRRgb2W+pvYgPhwgOfsrDRfv7yZXxKvjOCfP35fOx+H5aj 4qN0RSkWjeyipo07/5mztHSpDzmm1zB+YNkLIfD50Se4nONSDNgr4bXNrJdX0vQep6I4 FH5PQPEKvgscmrWiXrn9/VspT9415UVj3PLxxAlIogb0sgSGqhwFxz0lv2x1OdCtmK5a D3fBaEezwnbyxDj6H8q7r972jq4Z0kt+MTL1KQ1MGkT64RbtKw96PZ7sQetb1Rn5/wsN pviVko7RGe98D7lrfRdwigVXb2TTKtCWfhylYJLsgdyOy6oyWnjmGnmQnIXSCLju5HAU QjAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=8Bui+3PThMhbkIGhAiqHxYxhQHWIpqdlmB1nyVGR7OM=; b=rV1Q3wDW39g4GWo2wRulU+kLpmA3wTFlVbokVfjw9vh2jf1ASi6a4IL7dGa/MLL493 JDWIG9LPIGUzGirD0DH+dxerK+TCdohfakkTos8wY4DU7qMOTn0jn6E/7r9BrGzKR0i9 wr5B6ecRoKsVsdSqRD7ZQL1Xocp6/kE23IUebuFhHW0A6QCEEyEC5i4FFqc2sLpvWQg3 ZLUYmllZ1f+OBdrqvBWWlE8/ANKpDVaa+vnjJHBuY1MlgLnzmKue97Zo7cYb5zhnJLQE qXTu8NJBkYzr64f7AJfcPgVwipFh5/NVWMwwW0k6SHQ/Xbf+Q6CfzrgvK5kPqw1IAexy f93Q== X-Gm-Message-State: AJIora9ybdkLUSDEMIHCSK7Zyw7lrX2MmpgocX6F+Xq9M7gP16l7tjlZ 1cPT2JGpRIOeerku7jmU8DxWJtPoXJU= X-Google-Smtp-Source: AGRyM1ui9dt+Iuibj/v+C8MnOhHWdmdR7EFcSGkMx50d+dwUsLw33ICEjH72S7QbaomkBFqt1v51kw== X-Received: by 2002:a05:6a00:2407:b0:528:5bbc:aa0d with SMTP id z7-20020a056a00240700b005285bbcaa0dmr25218673pfh.40.1657659284786; Tue, 12 Jul 2022 13:54:44 -0700 (PDT) Original-Received: from penguin (c-73-71-123-1.hsd1.ca.comcast.net. [73.71.123.1]) by smtp.gmail.com with ESMTPSA id lk2-20020a17090b33c200b001eee7950428sm18253pjb.44.2022.07.12.13.54.43 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 12 Jul 2022 13:54:44 -0700 (PDT) Received-SPF: pass client-ip=2607:f8b0:4864:20::52d; envelope-from=gsingh2011@gmail.com; helo=mail-pg1-x52d.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 14 Jul 2022 12:43:04 -0400 X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:138464 Archived-At: Hi, I recently reported a security issue for a package on MELPA, where even though I trusted the package author, if I used the package to process untrusted data that data code be crafted in a way to execute arbitrary code on my system. This led me to wonder if there was any mechanism for package.el to distinguish between regular updates and security updates, and I wasn't able to find any information on this. Has there been any past discussion on this? As an example, on Ubuntu you can see how many of the pending updates are security updates as opposed to regular updates, and you can configure the system to auto-update just the security updates. I feel like the package manager in emacs should have something similar, but maybe I'm missing something about why this functionality isn't included.