Re: ELPA security

[Ted Zlatanov]

On Mon, 31 Dec 2012 12:48:44 -0700 Tom Tromey <address@hidden> wrote: 

>>>>>> "Ted" == Ted Zlatanov <address@hidden> writes:
Ted> 1. add DVCS support to package.el, supporting Git and Bazaar, with the
Ted> notion of "pull packages from repo X at tag/commit Y" in addition to the
Ted> current "pull packages from URLs".  The VC package has to be involved
Ted> here, instead of writing custom code.

Tom> What is the reason for this?

Right now, it's easy to change the DNS entry for the GNU ELPA and
compromise a user's machine completely.

I proposed a way for package.el to verify packages by looking at signed
DVCS commits (Bazaar) or tags (Git).  This uses public-key cryptography,
which fits well with the decentralized operation of package.el, and
these DVCSs are available on most modern platforms that can run Emacs.
Please see my previous posts to emacs-devel for the details.

Tom> FWIW, I considered and rejected this approach when writing package.el.
Tom> My reason was that I wanted packaging not to require any external tools,
Tom> so it would be available to all Emacs users.  Also, KISS.

OK.  KISS doesn't address package security, unfortunately.  How would
you suggest we verify the packages you've downloaded?  Plain HTTP and
HTTP/S are not sufficient.  We need to build the equivalent of the DVCS
signed commits/tags, in my opinion, and I'd live to avoid that extra
work.  The VC package, present in Emacs already, could provide this.

Tom> Mixing in VC seems to add a lot of potential failure modes.

The current situation is bad enough to warrant this work and potential
complications.  I am open to alternative suggestions.

Ted