emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA security

From: Ted Zlatanov
Subject: Re: ELPA security
Date: Fri, 21 Dec 2012 09:32:22 -0500
User-agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) 
On Sun, 09 Dec 2012 16:41:50 +0200 George Kadianakis <address@hidden> wrote: 

GK> I've been looking into ELPA (the Emacs Lisp Package Archive) and I
GK> noticed that package.el provides no security of any kind. It doesn't
GK> do signatures, SSL, timestamps or anything.

GK> Are you actually considering deploying a system that downloads
GK> untrusted code from the Internet every time a user asks for a new
GK> package or asks to upgrade his current packages?

Who would *you* like to entrust with the user's security?

I am not questioning your direction, just thinking about it.

GK> Package management is serious business [0]. It's sad to see ELPA
GK> approaching the problem so insecurely.

GK> Can't you at the very least, enable HTTPS on tromey.com and pin its
GK> public key on package.el?

SSL can easily be compromised and may not be available on all
platforms.

I think the signing solution should be per-package, optional, functional
in older Emacsen without binary dependencies, and the user should be
able to override it on an individual or global basis.  So it can't use
`curl', `gpg', or GnuTLS...

I also think `M-x list-packages' should define a `v' shortcut to file-find
the .el file or tarball that constitutes the package without installing
it.  That will contribute to security and it's really convenient, too.

Ted
reply via email to
[Prev in Thread] Current Thread [Next in Thread]