[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ELPA security
From: |
Nic Ferrier |
Subject: |
Re: ELPA security |
Date: |
Sun, 09 Dec 2012 21:00:30 +0000 |
George Kadianakis <address@hidden> writes:
> I've been looking into ELPA (the Emacs Lisp Package Archive) and I
> noticed that package.el provides no security of any kind. It doesn't
> do signatures, SSL, timestamps or anything.
>
> Are you actually considering deploying a system that downloads
> untrusted code from the Internet every time a user asks for a new
> package or asks to upgrade his current packages?
>
> Package management is serious business [0]. It's sad to see ELPA
> approaching the problem so insecurely.
>
> Can't you at the very least, enable HTTPS on tromey.com and pin its
> public key on package.el?
1. you're right! it isn't very secure. a few of us have been grumbling
about this for a while.
2. it's free software! you don't have to use it!
3. it's free software! you can fix it with patches!
4. marmalade repo is a free software package repository (an additional
repository to ELPA) which I maintain. I would welcome patches!
https://github.com/nicferrier/marmalade
5. tromey.com should not be used anymore, it's elpa.gnu.org now.
Nic Ferrier
- ELPA security, George Kadianakis, 2012/12/09
- Re: ELPA security,
Nic Ferrier <=
- Re: ELPA security, Ted Zlatanov, 2012/12/21
- Re: ELPA security, Xue Fuqiao, 2012/12/21
- Re: ELPA security, Bastien, 2012/12/22
- Re: ELPA security, Xue Fuqiao, 2012/12/22
- Re: ELPA security, Stephen J. Turnbull, 2012/12/22
- Re: ELPA security, Bastien, 2012/12/22
- Re: ELPA security, Bastien, 2012/12/22
- package.el + DVCS for security and convenience (was: ELPA security), Ted Zlatanov, 2012/12/22
- Re: package.el + DVCS for security and convenience, Nic Ferrier, 2012/12/24
- Re: package.el + DVCS for security and convenience, Bastien, 2012/12/24