all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Ihor Radchenko <yantar92@posteo.net>
To: Stefan Kangas <stefankangas@gmail.com>
Cc: Husain Alshehhi <husain@alshehhi.io>, emacs-devel@gnu.org
Subject: Re: Security in the emacs package ecosystem
Date: Fri, 17 Feb 2023 10:21:37 +0000	[thread overview]
Message-ID: <87wn4gd232.fsf@localhost> (raw)
In-Reply-To: <CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com>

Stefan Kangas <stefankangas@gmail.com> writes:

> I think we should add some flag to the build system saying that a
> package should only be released if the new tag has a valid signature.
> This would have to be optional for now.  (It is of course already best
> practice to always sign your tags regardless.)

This is a good measure and will certainly improve security.

Another consideration is that package recipes can be directly edited by
anyone. If an account of a person with write access to, for example,
ELPA is compromised, ELPA recipes can be arbitrarily manipulated for all
ELPA packages. This includes re-targeting the source repo or simply
disabling the signature verification.

I am raising this because a breach of a package repo means a significant
probability of leaked ssh keys. The same ssh keys can be used to access
ELPA then.

> GNU ELPA and NonGNU ELPA does sign packages, see for example:
>
>     https://elpa.gnu.org/packages/company-0.9.13.tar
>     https://elpa.gnu.org/packages/company-0.9.13.tar.sig
>
> For some reason, the signature file is not linked from the web
> interface.  I think we should add such a link.

I opened a bug report to create an actionable item on this.
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=61569

> If I'm not mistaken, MELPA unfortunately does not sign packages.

Looking at 43.4 Creating and Maintaining Package Archives, signing is
actually recommended. WRT MELPA we can do the following:
1. Open an issue
2. Allow users to demand package.el to verify signatures when
   downloading packages. Interested users can then increase their
   security by rejecting packages without .sig file.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>



  reply	other threads:[~2023-02-17 10:21 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-15 20:53 Security in the emacs package ecosystem Husain Alshehhi
2023-02-04 13:12 ` Ihor Radchenko
2023-02-04 16:59   ` Stefan Kangas
2023-02-17 10:21     ` Ihor Radchenko [this message]
2023-02-17 10:23       ` Ihor Radchenko
2023-02-17 15:54       ` Stefan Kangas
2023-02-18 10:57         ` Ihor Radchenko
2023-02-18 11:49           ` Eli Zaretskii
2023-02-20  5:18             ` Richard Stallman
2023-02-20  6:23               ` Po Lu
2023-02-20 17:38               ` chad
2023-03-11 19:45                 ` Thomas Koch
2023-03-14  4:00                   ` Richard Stallman
2023-10-06  9:32             ` bug#66369: Change package-check-signature default to t Stefan Kangas
2023-02-18 11:54           ` Making `package-check-signature' more restrictive by default Stefan Kangas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87wn4gd232.fsf@localhost \
    --to=yantar92@posteo.net \
    --cc=emacs-devel@gnu.org \
    --cc=husain@alshehhi.io \
    --cc=stefankangas@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.