From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail From: Andrea Corallo Newsgroups: gmane.emacs.devel Subject: Re: Why are so many great packages not trying to get included in GNU Emacs? Date: Fri, 24 Apr 2020 08:56:20 +0000 Message-ID: References: <9mmFgzvrBwjt_n_VJyaJdXINraNi5HsGpwq-0MLeKiJA7kG2BQA4uywrzjyz7lpRS0OZDpjEi8lspOKYUA7P_QsODsDew_8nbH960G55fmY=@protonmail.com> <97DA7804-F647-4A1D-B8E0-AFFE7A324C64@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202"; logging-data="17157"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) Cc: Yuan Fu , ndame , Stefan Monnier , Emacs developers To: Tim Cross Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Apr 24 10:57:05 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jRu8u-0004L7-Iw for ged-emacs-devel@m.gmane-mx.org; Fri, 24 Apr 2020 10:57:04 +0200 Original-Received: from localhost ([::1]:55790 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jRu8t-0001en-L6 for ged-emacs-devel@m.gmane-mx.org; Fri, 24 Apr 2020 04:57:03 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42692) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jRu8I-0000aF-CB for emacs-devel@gnu.org; Fri, 24 Apr 2020 04:56:26 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jRu8H-0005El-Da for emacs-devel@gnu.org; Fri, 24 Apr 2020 04:56:26 -0400 Original-Received: from mx.sdf.org ([205.166.94.20]:59682) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jRu8G-00056t-Nw for emacs-devel@gnu.org; Fri, 24 Apr 2020 04:56:24 -0400 Original-Received: from sdf.org (ma.sdf.org [205.166.94.33]) by mx.sdf.org (8.15.2/8.14.5) with ESMTPS id 03O8uLuP004492 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits) verified NO); Fri, 24 Apr 2020 08:56:21 GMT Original-Received: (from akrl@localhost) by sdf.org (8.15.2/8.12.8/Submit) id 03O8uKhV026168; Fri, 24 Apr 2020 08:56:20 GMT In-Reply-To: (Tim Cross's message of "Fri, 24 Apr 2020 09:50:36 +1000") Received-SPF: pass client-ip=205.166.94.20; envelope-from=akrl@sdf.org; helo=mx.sdf.org X-detected-operating-system: by eggs.gnu.org: First seen = 2020/04/24 04:56:21 X-ACL-Warn: Detected OS = ??? X-Received-From: 205.166.94.20 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:247674 Archived-At: Tim Cross writes: > I don't think it is quite that simple. > > Your not just trusting that person will do the right thing. You are > also trusting that they also have good operational security. It is > precisely this sort of trust model which resulted n a number of GNU/ > Linux distributions being compromised in the past. IMO the comparison does not stand. We are not talking about a big volume of binaries hard to verify that are continuously pushed by developers. With the current volume of commits we have on ELPA the eyes of other developers on elpa-diffs are sufficient. I believe giving a little more responsibilities to developers is also a fundamental stimulus to involve them more. This need for security is most likely not to be beneficial and BTW I'm not sure is backuped by specific examples of the past happen in the ELPA repo. Lastly wanted to mention that yeah... as a last resource 'git revert' exists :) Regards Andrea -- akrl@sdf.org