From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YNLYMK3pvV8lAwAA0tVLHw (envelope-from ) for ; Wed, 25 Nov 2020 05:20:45 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id AJKqLK3pvV+rOAAA1q6Kng (envelope-from ) for ; Wed, 25 Nov 2020 05:20:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 477AB9404C5 for ; Wed, 25 Nov 2020 05:20:45 +0000 (UTC) Received: from localhost ([::1]:47104 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khnES-0000Wx-9u for larch@yhetil.org; Wed, 25 Nov 2020 00:20:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:50180) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khnE5-0000WW-1O for emacs-orgmode@gnu.org; Wed, 25 Nov 2020 00:20:21 -0500 Received: from static.rcdrun.com ([95.85.24.50]:40927) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khnE2-00079J-VO for emacs-orgmode@gnu.org; Wed, 25 Nov 2020 00:20:20 -0500 Received: from localhost ([::ffff:41.202.241.56]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C1AE8.000000005FBDE98F.0000343E; Wed, 25 Nov 2020 05:20:15 +0000 Date: Wed, 25 Nov 2020 08:06:13 +0300 From: Jean Louis To: Tim Cross Subject: Re: One vs many directories Message-ID: References: <87mtz84om9.fsf@localhost> <87ft4zhyuo.fsf@disroot.org> <877dqbhtgf.fsf@ucl.ac.uk> <87zh36d1xn.fsf@web.de> <875z5uxzev.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <875z5uxzev.fsf@gmail.com> User-Agent: Mutt/2.0 (3d08634) (2020-11-07) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: CUJA4p2qQbMu * Tim Cross [2020-11-24 23:40]: > If people are really concerned about security, they should look first at > their use of repositories like MELPA. There is no formal review or > analysis of packages in these repositories, yet people will happily > select some package and install it. Interesting that you are one who mentions that. There are just few people ever mentioned it. I am still in process of the review of MELPA packages and its system. There are many security issues. Package signing is one example. It does not offer much of security when packages are signed automatically, but it raises level of security. MELPA packages and archive-contents are not PGP signed, while GNU ELPA packages are signed. Licensing issues are also a problem with MELPA as it becomes unclear if I have got the license or not when author does not have a proper name. It is not relevant if majority of people do not think or are not aware of licensing as I have to think of it for software that I may re-use, distribute, modify. Did I really get the license if user is named "nick-abc" and have no possible contact information? In some cases for subset of MELPA packages there is no way to verify who really wrote piece of software and if I have received the license legally. Due diligence is on my side. I cannot just claim "But he gave me license" will not help if I have not done proper due diligence, court would not be on my side. Other issue is that MELPA philosophy is to accept any kind of software even if software has been made to drive or control proprietary software. For that reason there is now non-GNU ELPA being developed where useful packages will be distributed from.