[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security of the emacs package system, elpa, melpa and marmalade
|
From: |
Matthias Dahl |
|
Subject: |
Re: security of the emacs package system, elpa, melpa and marmalade |
|
Date: |
Fri, 27 Sep 2013 16:18:03 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 |
Hello Richard...
On 26/09/13 18:25, Richard Stallman wrote:
> * Surreptitious substitution of the wrong code
> instead of what you think you are downloading.
In all honesty, I strongly believe that packages that contain malicious
code would fall under this category.
I think the world in Emacs has changed: It is now even easier to get
packages simply through the package system. Projects advertise that they
should be installed through (M)ELPA or Marmelade. Yet nowhere is any
mention about the security aspects of it.
- Neither repository checks the code for quality and security. And if
a plugin should get withdrawn from a repository because it really was
infected, there is no way to inform a user about it except through the
bad press that followed.
As a counter example: Plugins distributed through addons.mozilla.org
are checked for security - initial versions as well as updates.
- An Emacs plugin can do whatever it chooses to do with the full
privileges of the current user. But why give a plugin all such power
in the first place? Informing the user beforehand what privileges a
plugin required and thus tightening the belt on a plugin, would make
things more transparent and more secure.
I would also _never_ install anything from MELPA if the source of it was
from the wiki which everyone can edit freely, afaik.
Sorry for the wall of text. :(
So long,
Matthias
--
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
services: custom software [desktop, mobile, web], server administration
- Re: security of the emacs package system, elpa, melpa and marmalade, (continued)
- Re: security of the emacs package system, elpa, melpa and marmalade, Matthias Dahl, 2013/09/30
- Re: security of the emacs package system, elpa, melpa and marmalade, Stephen J. Turnbull, 2013/09/25
- Re: security of the emacs package system, elpa, melpa and marmalade, Matthias Dahl, 2013/09/26
- Re: security of the emacs package system, elpa, melpa and marmalade, Stephen J. Turnbull, 2013/09/27
- Re: security of the emacs package system, elpa, melpa and marmalade, Matthias Dahl, 2013/09/27
- Re: security of the emacs package system, elpa, melpa and marmalade, Stephen J. Turnbull, 2013/09/27
- Re: security of the emacs package system, elpa, melpa and marmalade, Matthias Dahl, 2013/09/30
- Re: security of the emacs package system, elpa, melpa and marmalade, chad, 2013/09/27
- Re: security of the emacs package system, elpa, melpa and marmalade, Andreas Röhler, 2013/09/26
- Re: security of the emacs package system, elpa, melpa and marmalade, Richard Stallman, 2013/09/26
- Re: security of the emacs package system, elpa, melpa and marmalade,
Matthias Dahl <=
- Re: security of the emacs package system, elpa, melpa and marmalade, Óscar Fuentes, 2013/09/27
- Re: security of the emacs package system, elpa, melpa and marmalade, Ted Zlatanov, 2013/09/29
Re: security of the emacs package system, elpa, melpa and marmalade, Ted Zlatanov, 2013/09/29
- Re: security of the emacs package system, elpa, melpa and marmalade, Daiki Ueno, 2013/09/29
- Re: security of the emacs package system, elpa, melpa and marmalade, Ted Zlatanov, 2013/09/29
- Re: security of the emacs package system, elpa, melpa and marmalade, Ted Zlatanov, 2013/09/30
- Re: security of the emacs package system, elpa, melpa and marmalade, Stephen J. Turnbull, 2013/09/30
Re: security of the emacs package system, elpa, melpa and marmalade, Matthias Dahl, 2013/09/30
Re: security of the emacs package system, elpa, melpa and marmalade, Ted Zlatanov, 2013/09/30