Re: security of the emacs package system, elpa, melpa and marmalade

[Matthias Dahl]

Hello @all...

First of all, thanks to everyone for weighing in their respective
opinions and investing their time-- on- and off list.

A sandbox as initially discussed, is unanimously the wrong path to take
for various reasons that were brought up in detail, so I stand corrected
and also agree with the admittedly convincing arguments.

But some interesting points came up in the course of all of this: There
are people reviewing packages even it is just for their own sake and due
to their own security needs. Those people check code, the history of the
maintainers and keep an watchful eye on things. But they usually do so
for their own.

Maybe this is just wishful thinking but what if we could channel that
effort into a single and package repository independent project?

Please let me explain: The project would mostly build on the web of
trust principle. Basically people can review and rate packages. And in
order to do so, you need a certain level of trust which you gain through
ratings or pledges from already trusted reviewers. Initially those could
be the Emacs and respective package maintainers and so forth.

The interesting part though: This service should most definitely work
across all package repositories. That way, no matter if you download
from ELPA or MELPA or Marmalade or whatever the future brings, the
service is queried. The crux would be in defining an universal way to
detect a package and its version. This could be through hashes across
all .el  files for example, which all repos obviously deliver and have
in common.

package.el could be extended to properly display all available metrics
on the detail page of a package to keep the load down on the service. It
would display the metrics for the current version as well as the overall
metrics (which would be useful if the current version hadn't been rated
yet).

Earlier in this thread, I mentioned I'd like to see better tools for
users, so what about this: A user can comfortably review a package in
Emacs when it is downloaded and before it is loaded (even a batch of
packages). The same goes for updates: He can see diffs between the new
version and one he had installed. This could easily be combined with a
review or rating to the service mentioned previously.

Naturally, all of this optionally without anyone being forced to do so.

Last but not least: Through an API key, all repos could report to the
service download metrics which can give a _very_ rough clue about how
popular a package might be. Thus, we would finally have accumulated
metrics for this and other things across repos.

This is just (again) thinking out loud. But I think this "solution" has
some very promising potential because it is non-invasive to how Emacs
currently works (= no sandbox effort), does not give a false sense of
security and overall encourages the community to actually review code.
And by all of this, it actually does imho increase security.

And if those people who already review code, continue to do so but also
report their findings back to the service and maybe rate other people
they know and trust, this could actually work rather well.

Ideally, the service could be extended in the future to make it a place
where code review for newcomers (new packages) could happen to improve
their work... just like it is done on the list right now.

I'm a bit afraid to ask but what do you guys and gals think? :)

So long,
Matthias

-- 
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration