From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Nathan Newsgroups: gmane.emacs.devel Subject: Re: ELPA security Date: Wed, 26 Dec 2012 09:32:44 -0800 Message-ID: References: <8738zf70ep.fsf@riseup.net> <871uejlbm1.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=047d7bf0ec726c8b1d04d1c4d125 X-Trace: ger.gmane.org 1356543170 24068 80.91.229.3 (26 Dec 2012 17:32:50 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 26 Dec 2012 17:32:50 +0000 (UTC) Cc: emacs-devel@gnu.org To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Dec 26 18:33:06 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Tnuqm-0003ud-B1 for ged-emacs-devel@m.gmane.org; Wed, 26 Dec 2012 18:33:04 +0100 Original-Received: from localhost ([::1]:48109 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnuqY-0003sP-1E for ged-emacs-devel@m.gmane.org; Wed, 26 Dec 2012 12:32:50 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:59683) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnuqV-0003sI-7X for emacs-devel@gnu.org; Wed, 26 Dec 2012 12:32:48 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TnuqT-0001vn-2Q for emacs-devel@gnu.org; Wed, 26 Dec 2012 12:32:47 -0500 Original-Received: from mail-vb0-f52.google.com ([209.85.212.52]:55168) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TnuqS-0001va-U2 for emacs-devel@gnu.org; Wed, 26 Dec 2012 12:32:44 -0500 Original-Received: by mail-vb0-f52.google.com with SMTP id ez10so8846792vbb.25 for ; Wed, 26 Dec 2012 09:32:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VNjVJq4pUiYd7FB/w1klALM3repw2rLdXmHdPMe1sSI=; b=PDVqsPlrz2cjliESxn7VvPNzDvQ8LAHcESPYopsx4+72no3Q9n6PAaBph6PXRaHltB ETuT0BRGf2vlP7HDhpVrm4kSjGTMfJzt9ZaQRvW/BBY6ebur9XO4aTipk6vL0AJhPjsK iUVqvzdZ/uUOWztCswhkHmN4WYk7SS/95oqDj709oW43pZOeflY2r7XFY6qyDuunh24M EJ6k0HWEqZet6Nv2L52ZzvLNDuutmpI/8jk1S2noUIzL5XL4jmUC7fWZ0259PAzbX2qt D6ws1AUOmWebWkE4D4ypCQpglq0gnpgtN0+hwWxVzRvENG/F3sgLIuRSVUY3vaf8WnTG Eykg== Original-Received: by 10.59.11.67 with SMTP id eg3mr44135370ved.31.1356543164189; Wed, 26 Dec 2012 09:32:44 -0800 (PST) Original-Received: by 10.220.141.212 with HTTP; Wed, 26 Dec 2012 09:32:44 -0800 (PST) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 209.85.212.52 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:155911 Archived-At: --047d7bf0ec726c8b1d04d1c4d125 Content-Type: text/plain; charset=ISO-8859-1 On Sat, Dec 22, 2012 at 8:20 AM, Stefan Monnier wrote: > > I also think `M-x list-packages' should define a `v' shortcut to > file-find > > the .el file or tarball that constitutes the package without installing > > it. That will contribute to security and it's really convenient, too. > > Actually, "installation" has several steps: > - download. > - install per se (i.e. copies the files at an appropriate place). > - compile. > - setup (i.e. arrange things such that the package is in the load-path > and its autoloads are active next time to start Emacs). > > The first two steps can be made to be safe. > > > Stefan > > Hullo, I would like to humbly provide some ideas here: - In general, GNU is trusted (after all, we download our emacs from the GNU). This would imply to me that the GNU can GPG sign packages with a private/public key (Perhaps the precursor to this is emacs having a gpg implementation included). - Then perhaps other repositories, such as marmalade could also sign their packages, and users could choose to trust that signature or not. - Of course, this is analogous to the Debian/Launchpad/PPA approach, which has worked excellently for me and others. It may require quite a great deal of infrastructure work which I am entirely unfamiliar with. Regards, Paul --047d7bf0ec726c8b1d04d1c4d125 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Sat, De= c 22, 2012 at 8:20 AM, Stefan Monnier <monnier@iro.umontreal.ca= > wrote:
> I also think `M-x list-packages' should define= a `v' shortcut to file-find
> the .el file or tarball that constitutes the package without installin= g
> it. =A0That will contribute to security and it's really convenient= , too.

Actually, "installation" has several steps:
- download.
- install per se (i.e. copies the files at an appropriate place).
- compile.
- setup (i.e. arrange things such that the package is in the load-path
=A0 and its autoloads are active next time to start Emacs).

The first two steps can be made to be safe.


=A0 =A0 =A0 =A0 Stefan



Hullo,

I would like to= humbly provide some ideas here:

- In general, GNU is trusted (after all, we download our emacs from the=20 GNU). This would imply to me that the GNU can GPG sign packages with a=20 private/public key (Perhaps the precursor to this is emacs having a gpg=20 implementation included).

- Then perhaps other=20 repositories, such as marmalade could also sign their packages, and=20 users could choose to trust that signature or not.

-=20 Of course, this is analogous to the Debian/Launchpad/PPA approach, which has worked excellently for me and others. It may require quite a great=20 deal of infrastructure work which I am entirely unfamiliar with.=A0
Regards,
Paul
--047d7bf0ec726c8b1d04d1c4d125--