Re: Sv: Install orgmode using its git repository.

[Hongyi Zhao <hongyi.zhao@gmail.com>]

On Wed, Dec 30, 2020 at 5:40 AM Robert Thorpe
<rt@robertthorpeconsulting.com> wrote:
>
> For what it's worth, I agree with Arthur.
>
> I'd point out that this sort of thing has happened before.  A Python
> package called "Colourama" was found to be manipulating bitcoin
> addresses.  When you put a bitcoin address into the clipboard it would
> intercept it and replace it with a different one.  Notice the British
> spelling, the legitimate package was called "Colorama".  The "Colourama"
> package was a minor derivative with the bitcoin address trick added in.
>
> Something similar happened to the NPM Javascript library.
>
> We also have to remember that there's the possibility of people hacking
> things like github.  Or obtaining the credentials of github users and
> their signing keys.  The recent problems at the US DoD were caused by
> Solarwinds software.  The hackers got into the Solarwinds source code
> repository (due to very lax security, github & gitlab are probably
> better).  Once in the repository they made a few changes to the
> sourcecode to introduce a backdoor.
>
> As a result, I'm fairly wary of this idea of automatic downloading.  On
> the other hand, for many packages it's hardly practical to read the
> whole sourcecode no matter how you obtain it.

Elisp, just as any lisp derivatives, has a very steep learning curve.
They all have a fairly simple grammatical structure at the first
glimpse but it is so difficult to master and use them skillfully.

BR,
-- 
Assoc. Prof. Hongyi Zhao <hongyi.zhao@gmail.com>
Theory and Simulation of Materials
Hebei Polytechnic University of Science and Technology engineering
NO. 552 North Gangtie Road, Xingtai, China