From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: security of the emacs package system, elpa, melpa and marmalade Date: Mon, 30 Sep 2013 17:11:24 -0400 Message-ID: References: <523FEE1B.9020408@binary-island.eu> <52429ABD.6090603@binary-island.eu> <52432BE9.1070402@binary-island.eu> <5243F836.9020301@binary-island.eu> <5245938E.6040906@binary-island.eu> <524994F8.8070506@binary-island.eu> Reply-To: rms@gnu.org NNTP-Posting-Host: plane.gmane.org Content-Type: text/plain; charset=ISO-8859-15 X-Trace: ger.gmane.org 1380575493 6309 80.91.229.3 (30 Sep 2013 21:11:33 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 30 Sep 2013 21:11:33 +0000 (UTC) Cc: monnier@IRO.UMontreal.CA, emacs-devel@gnu.org To: Matthias Dahl Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Sep 30 23:11:38 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VQkke-00057g-6E for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 23:11:32 +0200 Original-Received: from localhost ([::1]:51564 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQkkd-0004od-NC for ged-emacs-devel@m.gmane.org; Mon, 30 Sep 2013 17:11:31 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:34914) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQkkZ-0004oL-BH for emacs-devel@gnu.org; Mon, 30 Sep 2013 17:11:28 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VQkkX-0005Hd-Ux for emacs-devel@gnu.org; Mon, 30 Sep 2013 17:11:27 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44878) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VQkkX-0005HO-QR for emacs-devel@gnu.org; Mon, 30 Sep 2013 17:11:25 -0400 Original-Received: from rms by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1VQkkW-0000U6-4w; Mon, 30 Sep 2013 17:11:24 -0400 In-reply-to: <524994F8.8070506@binary-island.eu> (message from Matthias Dahl on Mon, 30 Sep 2013 17:12:56 +0200) X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:163746 Archived-At: [ To any NSA and FBI agents reading my email: please consider [ whether defending the US Constitution against all enemies, [ foreign or domestic, requires you to follow Snowden's example. > I think that we should warn users that it is risky to use packages > from archives that don't supervise the code that gets put in them, or > that don't use signing. +1 But imho, this would also include ELPA because there is not really a control process in place. A mail gets sent that some person from the community needs to thoroughly read/check. There is no guarantee that someone will actually do this. I think we should maintain ELPA with the same level of care that we apply to code in Emacs, and sign the downloads the same way GNU packages are signed. Then we can tell people that they shouldn't hesitate to download packages from ELPA. -- Dr Richard Stallman President, Free Software Foundation 51 Franklin St Boston MA 02110 USA www.fsf.org www.gnu.org Skype: No way! That's nonfree (freedom-denying) software. Use Ekiga or an ordinary phone call.