[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: Should package.el support notifying on package security updates
|
From: |
Tim Cross |
|
Subject: |
Re: Fwd: Should package.el support notifying on package security updates? |
|
Date: |
Sat, 13 Aug 2022 10:58:40 +1000 |
|
User-agent: |
mu4e 1.8.8; emacs 29.0.50 |
Stefan Monnier <monnier@iro.umontreal.ca> writes:
>
> I'm not sure it would be a big problem. But I'm not sure it would be an
> improvement either. Especially because I suspect it might give the
> false impression that the code of ELisp packages is somewhat
> security-conscious, whereas in my experience, the vast majority of Emacs
> packages isn't (they may end up secure by accident, of course).
>
>
That is an extremely important point. Very few people even gives this a
thought when installing packages - especially packages from MELPA and
other external repositories. Having 'security' would imply for some that
there is a formal security process for reviewing, tracking and reporting
security issues. We don't have any of this and advertising some updates
as security fixes could well create a false sense of security.
Re: Fwd: Should package.el support notifying on package security updates?, Richard Stallman, 2022/08/13