From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: Fwd: Should package.el support notifying on package security updates? Date: Wed, 24 Aug 2022 23:32:56 -0400 Message-ID: References: <87r12qm4q5.fsf@gmail.com> <87y1vus4xy.fsf@rfc20.org> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="4575"; mail-complaints-to="usenet@ciao.gmane.io" Cc: matt@rfc20.org, emacs-devel@gnu.org To: Gulshan Singh Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Aug 25 05:34:53 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oR3ds-0000yp-Mc for ged-emacs-devel@m.gmane-mx.org; Thu, 25 Aug 2022 05:34:52 +0200 Original-Received: from localhost ([::1]:48786 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oR3dr-0005Sa-Cu for ged-emacs-devel@m.gmane-mx.org; Wed, 24 Aug 2022 23:34:51 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:44760) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oR3c5-0002lb-0Y for emacs-devel@gnu.org; Wed, 24 Aug 2022 23:33:03 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:40612) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oR3c0-0007oa-Iu; Wed, 24 Aug 2022 23:32:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=oGraix2X8eNNg3npM7J9MHhsa8Dhzipf0XV8LpGgS/8=; b=jL59C23E3rV8 FP8egOYg+MACoPUZwS5hDL7H+5NaTDnEMpr7GqmBEKWcgQj49B0Rb0HloSz2nc/L6Kqr3LdX/PPJy 0ZI8B2Sh0WFfB4Yd95AKR/K+amrP3sx2FG420k5aCVBlxVOSB0XkTBa8luL0tzVKx0U4HhumOc+IG /fxhO5XYYLSp7dQr1f1Z7K9fO3g81cr3+oGn4XZvSJPIyhmnw2TFHMwTWHac9Yn1ewT3FQ5KQJBnS aS139wdplCptoymRvVfptV0ZlYP306pQ7LvS52jwwNjECm0k0aWNuyDrwraP1cyh2KJFDdiZyrnsR js7llHyu8+Fp1bmBORiFBQ==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1oR3c0-0005uV-A0; Wed, 24 Aug 2022 23:32:56 -0400 In-Reply-To: (message from Gulshan Singh on Sat, 13 Aug 2022 20:29:54 -0700) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:294061 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > That makes sense. But I only brought up the MELPA example because I > recently encountered a security bug in a MELPA package. There's no reason > ELPA packages can't have similar security bugs (I just don't have an > example of this at the moment), and I figured it might be a good idea to > have some support for making it easier for users to quickly get security > updates for packages, regardless of what repository they're using. We can do that for the repositories that we support, whose packages we can fix or whose maintainers have some relationship with us. We have no relationship with MELPA -- if you use that, you're on your own. We do copy some packages from MELPA into NonGNU ELPA. It takes a little discussion, making sure the package does and will satisfy some basic criteria. But if the package is popular, we're glad to do that. You can ask us to move the packages you use, if they are popular. Do we support the NonGNU ELPA packages well enough now for security updates? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)