GNU ELPA security and Org-mode

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU ELPA security and Org-mode

From:	Stefan Monnier
Subject:	GNU ELPA security and Org-mode
Date:	Thu, 06 Apr 2017 11:04:29 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)

I just realized that the GPG-signing we're doing in GNU ELPA is
weaker for the org-mode packages than for all other:

All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from
http://orgmode.org/elpa.

So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
  but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).

Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git.  This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,
tho).


        Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

GNU ELPA security and Org-mode, Stefan Monnier <=

Prev by Date: Re: package security auditing and isolation
Next by Date: Re: package security auditing and isolation
Previous by thread: package security auditing and isolation
Next by thread: Re: master cd0a795: Output number of characters added to file (Bug#354)
Index(es):
- Date
- Thread