Re: security-patches package

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security-patches package

From:	Phillip Lord
Subject:	Re: security-patches package
Date:	Thu, 21 Sep 2017 21:01:56 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.3.50 (gnu/linux)

Ted Zlatanov <address@hidden> writes:

> On Fri, 15 Sep 2017 08:32:16 -0400 Stefan Monnier <address@hidden> wrote: 
>
> SM> having a "security-patches" package might make sense.
>>> I would love to see that as well, especially if it was well tested in a
>>> CI system against various versions of Emacs.
>>> What needs to happen so the experience is seamless?
>
> SM> Step one is to create this package in elpa.git, putting the fix for the
> SM> enriched.el bug.
>
> A package is pretty easy but I have a few questions before putting that
> out:
>
> * how do we prevent accidental or malicious commits to this package?
>   Could it maybe live in a special "GNU ELPA security updates" archive
>   separate from elpa.git?

I think this is not important. It wouldn't have any special privilege;
i.e. the malicious user could do the same nasty things in any package.
Accidental commits could just be controlled by constraining the
*release* -- that is commits would be normal, but they wouldn't go live.

> * should it be signed+released in a special way? How do we test it?

Testing is hard, unless we produce a "alpha" version of ELPA (try saying
that when drunk).

> * what version of Emacs will begin to check for this package?

Emacs 26, more or less by definition.

> * Can we do push notifications somehow or are we limited to polling?

Polling. Worse polling at the users request, because ELPA doesn't also
update.

Changing ELPA to auto-update the archive would be a good thing to do, I
think.

> * should there be a special mailing list for internal discussions?
>
> * how do we make the experience seamless (on startup, during a
>   long-running session, unattended, for a whole site)?
>
> In a related vein, I mentioned a while ago that it would be really nice
> to see the changes (from what's installed) to all the code in a package
> before upgrading it. I think for security updates that would be
> especially useful.

That would be cute, for non-security also. Give people a reason to
update.

Phil

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [ANNOUNCE] Emacs 25.3 released, (continued)
- Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released, Clément Pit-Claudel, 2017/09/12
  - Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released, Phillip Lord, 2017/09/14
  - Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released, Richard Stallman, 2017/09/17
    - Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released, Nicolas Petton, 2017/09/18
    - Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released, Stefan Monnier, 2017/09/18
    - Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released, Richard Stallman, 2017/09/18

Prev by Date: Re: [Emacs-diffs] emacs-26 ee512e9: Ignore buffers whose name begins with a space in save-some-buffers
Next by Date: Re: Alerting users to new releases
Previous by thread: Re: security-patches package
Next by thread: Re: security-patches package
Index(es):
- Date
- Thread