From: Stefan Monnier <monnier@iro.umontreal.ca>
To: emacs-devel@gnu.org
Subject: GNU ELPA security and Org-mode
Date: Thu, 06 Apr 2017 11:04:29 -0400 [thread overview]
Message-ID: <jwvinmhwq15.fsf-monnier+gmane.emacs.devel@gnu.org> (raw)
I just realized that the GPG-signing we're doing in GNU ELPA is
weaker for the org-mode packages than for all other:
All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from
http://orgmode.org/elpa.
So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).
Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git. This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,
tho).
Stefan
next reply other threads:[~2017-04-06 15:04 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-06 15:04 Stefan Monnier [this message]
2018-04-28 11:19 ` GNU ELPA security and Org-mode Bastien
2018-04-30 2:15 ` Stefan Monnier
2018-04-30 7:13 ` Bastien
2018-04-30 12:29 ` Stefan Monnier
2018-04-30 13:34 ` Bastien
2018-04-30 13:42 ` Stefan Monnier
2018-04-30 13:52 ` Stefan Monnier
2018-04-30 13:55 ` Bastien
2018-04-30 14:00 ` Stefan Monnier
2018-04-30 14:07 ` Bastien
2018-04-30 16:37 ` Stefan Monnier
2018-05-01 8:07 ` Bastien
2018-04-30 14:10 ` Bastien
2018-04-30 14:18 ` Stefan Monnier
2018-04-30 15:18 ` Bastien
2018-04-30 15:37 ` Stefan Monnier
2018-05-01 8:07 ` Bastien
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=jwvinmhwq15.fsf-monnier+gmane.emacs.devel@gnu.org \
--to=monnier@iro.umontreal.ca \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.