From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: "Stephen J. Turnbull" <stephen@xemacs.org>
Newsgroups: gmane.emacs.devel
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Tue, 01 Oct 2013 11:19:50 +0900
Message-ID: <87y56dka0p.fsf@uwakimon.sk.tsukuba.ac.jp>
References: <523FEE1B.9020408@binary-island.eu>
	<jwvy56n7hsj.fsf-monnier+emacs@gnu.org>
	<52429ABD.6090603@binary-island.eu>
	<jwvob7gx43e.fsf-monnier+emacs@gnu.org>
	<52432BE9.1070402@binary-island.eu>
	<87d2nw1j3b.fsf@uwakimon.sk.tsukuba.ac.jp>
	<5243F828.6060901@binary-island.eu>
	<87a9iy2106.fsf@uwakimon.sk.tsukuba.ac.jp>
	<524593A0.7020502@binary-island.eu>
	<8738oq189y.fsf@uwakimon.sk.tsukuba.ac.jp>
	<524997D2.9080602@binary-island.eu>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
X-Trace: ger.gmane.org 1380594014 32340 80.91.229.3 (1 Oct 2013 02:20:14 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 1 Oct 2013 02:20:14 +0000 (UTC)
Cc: Stefan Monnier <monnier@IRO.UMontreal.CA>, emacs-devel@gnu.org
To: Matthias Dahl <ml_emacs-lists@binary-island.eu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Oct 01 04:20:15 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VQpZP-0006KS-8V
	for ged-emacs-devel@m.gmane.org; Tue, 01 Oct 2013 04:20:15 +0200
Original-Received: from localhost ([::1]:52403 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VQpZO-0007tU-Qg
	for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 22:20:14 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53661)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stephen@xemacs.org>) id 1VQpZF-0007qD-5Z
	for emacs-devel@gnu.org; Mon, 30 Sep 2013 22:20:12 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stephen@xemacs.org>) id 1VQpZ2-0008Jf-My
	for emacs-devel@gnu.org; Mon, 30 Sep 2013 22:20:05 -0400
Original-Received: from mgmt2.sk.tsukuba.ac.jp ([130.158.97.224]:48760)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stephen@xemacs.org>) id 1VQpZ2-0008JY-D9
	for emacs-devel@gnu.org; Mon, 30 Sep 2013 22:19:52 -0400
Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp
	[130.158.99.156])
	by mgmt2.sk.tsukuba.ac.jp (Postfix) with ESMTP id 39CB0970A0D;
	Tue,  1 Oct 2013 11:19:51 +0900 (JST)
Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000)
	id F31101205A7; Tue,  1 Oct 2013 11:19:50 +0900 (JST)
In-Reply-To: <524997D2.9080602@binary-island.eu>
X-Mailer: VM undefined under 21.5  (beta33) "horseradish" f478c6c7528c+
	XEmacs Lucid (x86_64-unknown-linux)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 130.158.97.224
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:163758
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/163758>

Matthias Dahl writes:

 > I am not saying a sandbox is the best solution. But imho, something
 > should be done... or would be nice to have. Even if it is community
 > based reputation system.

We already have that.  GNU ELPA requires somebody who has been
acknowledged to be responsible to look at it before it gets added.
Some of the others don't.

 > Who said it should get those privileges denied? If it was installed and
 > declared its required permissions, it will get those. Or am I missing
 > something obvious from your statement/question here?

No, you're missing the fact that self-declaring required permissions
means you get all the permissions you need.  For good or evil....

 > > Sure.  But the chances are pretty good that I would.  Anyway, the
 > > definition of "absolutely need" is "I'm willing to bet that I or some
 > > other user would catch it even if the author doesn't."
 > 
 > So you check the source for the plugins you use with each new
 > update?

On exposed hosts and for applications that can be invoked by any user,
yes, I do.

 > Which shows, you care about security too and take preventive measures.
 > Unfortunately, not everybody can work that way for various reasons, though.

And those who don't will eventually pay the price.  That's OK, it may
very well be a rational choice to take the risk.  I do, on other hosts
with other purposes.  But the problem is that typically other people
*also* pay the price.