emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA security


From: Jambunathan K
Subject: Re: ELPA security
Date: Mon, 07 Jan 2013 11:39:19 +0530
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux)

Paul Nathan <address@hidden> writes:

>> If I am downloading a package from a trustworthy site - "certified"
> by a
>> legal entity - I should be doing good, right.
>
> Jambunathan,
>
> The existing problem statement is that while we (presumably) trust the
> GNU Emacs code, we do not per se trust the other packages in
> existence. How do we know those packages are what the original authors
> created? It is not the best idea from a security standpoint to
> download arbitrary code from the emacs wiki and execute it! 

Thanks for not getting offended and ELI5.  I don't mean to hijack this
thread.

Frankly speaking, I don't rely on Tromey, Marmalade, Emacswiki or
MELPA.  I may consult them but I don't rely on them.

The main problem is not that of security per se.  The main problem is
reliability.  The packages will break, the author wouldn't care about
responding to questions or fixing things, the functionality itself could
be broken in unknown ways etc.

> The ELPA infrastructure now allows pulling extensions from multiple
> non-GNU repositories. I certainly hope no one hacks them! If someone
> does, then a certification mechanism would assist the user in telling
> them that something's gone very wrong. So a signing mechanism allows
> the distributor to certify his/her code as being written by his/ger,
> and you to verify that the distributor certified their code. Whether
> the code itself is any good is a different question, of course - a
> malicious distributor that everyone trusts is a big problem!

I am thinking how many of the existing ELPA repositories will go to the
extent of getting a signature from a legal entity.  Mostly they are
"wannabe-s" or individual efforts.

May be the idea is too ahead for it's time.  I wonder whether another
"serious" distributor like GNU ELPA sprouts forth. 

Is XEmacs a contender here, I don't know.  Stephen T can enlighten us.

> Kind regards,
> Paul
>
>

-- 



reply via email to

[Prev in Thread] Current Thread [Next in Thread]