From: Stefan Kangas <stefankangas@gmail.com>
To: Ihor Radchenko <yantar92@posteo.net>,
Husain Alshehhi <husain@alshehhi.io>
Cc: emacs-devel@gnu.org
Subject: Re: Security in the emacs package ecosystem
Date: Sat, 4 Feb 2023 08:59:54 -0800 [thread overview]
Message-ID: <CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com> (raw)
In-Reply-To: <87fsblfuc6.fsf@localhost>
Ihor Radchenko <yantar92@posteo.net> writes:
> To followup, how are the plans (stated in the referenced discussion)
> about signing ELPA packages?
>
> AFAIK, ELPA currently re-builds package tarballs every time a new tag
> appears in the source repo. No signature checks, nothing to prevent
> potential breach in the source repo.
I think we should add some flag to the build system saying that a
package should only be released if the new tag has a valid signature.
This would have to be optional for now. (It is of course already best
practice to always sign your tags regardless.)
IMO, opening a feature request for this in the bug tracker would be
useful. A patch would be even better.
> And ELPA tarballs themselves are not signed. Same for non-GNU ELPA,
> AFAIK.
GNU ELPA and NonGNU ELPA does sign packages, see for example:
https://elpa.gnu.org/packages/company-0.9.13.tar
https://elpa.gnu.org/packages/company-0.9.13.tar.sig
For some reason, the signature file is not linked from the web
interface. I think we should add such a link.
If I'm not mistaken, MELPA unfortunately does not sign packages.
next prev parent reply other threads:[~2023-02-04 16:59 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-15 20:53 Security in the emacs package ecosystem Husain Alshehhi
2023-02-04 13:12 ` Ihor Radchenko
2023-02-04 16:59 ` Stefan Kangas [this message]
2023-02-17 10:21 ` Ihor Radchenko
2023-02-17 10:23 ` Ihor Radchenko
2023-02-17 15:54 ` Stefan Kangas
2023-02-18 10:57 ` Ihor Radchenko
2023-02-18 11:49 ` Eli Zaretskii
2023-02-20 5:18 ` Richard Stallman
2023-02-20 6:23 ` Po Lu
2023-02-20 17:38 ` chad
2023-03-11 19:45 ` Thomas Koch
2023-03-14 4:00 ` Richard Stallman
2023-10-06 9:32 ` bug#66369: Change package-check-signature default to t Stefan Kangas
2023-02-18 11:54 ` Making `package-check-signature' more restrictive by default Stefan Kangas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@mail.gmail.com' \
--to=stefankangas@gmail.com \
--cc=emacs-devel@gnu.org \
--cc=husain@alshehhi.io \
--cc=yantar92@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.