Org-mode mailing list
 help / color / mirror / Atom feed
From: Greg Minshall <minshall@umich.edu>
To: Tim Cross <theophilusx@gmail.com>
Cc: emacs-orgmode@gnu.org, Jean Louis <bugs@gnu.support>
Subject: Re: Security issues in Emacs packages
Date: Thu, 26 Nov 2020 15:27:22 +0300
Message-ID: <3505547.1606393642@apollo2.minshall.org> (raw)
In-Reply-To: Your message of "Thu, 26 Nov 2020 17:35:36 +1100." <875z5s62x3.fsf@gmail.com>

Tim,

> It could, but to get that level of assurance, you not only have to
> verify the signature is valid (something which is automated if
> enabled), you also need to verify that both packages have the exact
> same signature, which is pretty much a manual process. So in addition
> to telling you the version number, George would also need to
> communicate the signature and that would need to be compared to the
> signature you have in the package you downloaded to know that the
> packages are in fact the same (you cannot rely on version numbers for
> any real verification).

if MELPA's release procedure prevented two separate releases of version
1.2.3 of package xYandZ from being released, wouldn't that obviate the
requirement for George to give me signatures?  that was my thought as to
why a signed (MELPA, version number, package name) would be enough.
(i've no idea if MELPA's procedures would actually conform to my
"requirement".)

cheers, Greg


  reply	other threads:[~2020-11-26 12:28 UTC|newest]

Thread overview: 151+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-21  0:33 One vs many directories Texas Cyberthal
2020-11-21  5:13 ` Ihor Radchenko
2020-11-21  7:56   ` Jean Louis
2020-11-21  8:31     ` Texas Cyberthal
2020-11-21  9:29       ` Marvin ‘quintus’ Gülker
2020-11-21 10:21       ` Jean Louis
2020-11-21 15:00         ` Texas Cyberthal
2020-11-21 16:08           ` Jean Louis
2020-11-21 15:03     ` Dr. Arne Babenhauserheide
2020-11-21 15:45       ` Texas Cyberthal
2020-11-21 17:12         ` Jean Louis
2020-11-21 18:01           ` Texas Cyberthal
2020-11-21 18:57             ` Jean Louis
2020-11-22  6:36           ` Ihor Radchenko
2020-11-22  7:20             ` Jean Louis
2020-11-22  8:32               ` Ihor Radchenko
2020-11-22  8:56                 ` Jean Louis
2020-11-21 22:36         ` Dr. Arne Babenhauserheide
     [not found]           ` <CAMUm491Psp0u5JKyGROP6M=UfAcvOLTtOKAD1rOearV+KxgYdQ@mail.gmail.com>
     [not found]             ` <87r1olfvh4.fsf@web.de>
2020-11-23  9:50               ` Texas Cyberthal
2020-11-23 13:17                 ` Jean Louis
2020-11-23 14:16                   ` Ihor Radchenko
2020-11-23 18:08                     ` Is Org really so simple? Jean Louis
2020-11-23 20:41                       ` Tom Gillespie
2020-11-24  5:06                         ` Jean Louis
2020-11-26  3:08                       ` Ihor Radchenko
2020-11-26  8:57                         ` Jean Louis
2020-11-29  7:20                           ` Ihor Radchenko
2020-11-29 16:22                             ` Jean Louis
2020-11-26 18:07                         ` Dr. Arne Babenhauserheide
2020-11-26 23:09                       ` David Rogers
2020-11-27  0:43                         ` Tim Cross
2020-11-27  2:56                         ` Jean Louis
2020-11-23 16:07                   ` One vs many directories Texas Cyberthal
2020-11-23 19:20                     ` Jean Louis
2020-11-24  7:55                       ` Ihor Radchenko
2020-11-28 16:16                         ` Jean Louis
2020-11-28 16:33                           ` Christopher Dimech
2020-11-25  6:57                       ` Texas Cyberthal
2020-11-25  9:51                         ` Jean Louis
2020-11-25 10:39                           ` Texas Cyberthal
2020-11-25 11:02                             ` Jean Louis
2020-11-26 16:04                               ` Texas Cyberthal
2020-11-26 17:31                                 ` Jean Louis
2020-11-27  9:00                                   ` Texas Cyberthal
2020-11-27 10:45                                     ` Jean Louis
2020-11-28  8:18                                       ` Texas Cyberthal
2020-11-28 10:09                                         ` Jean Louis
2020-11-29  6:18                                           ` Texas Cyberthal
2020-11-29  6:53                                             ` Jean Louis
2020-11-30  7:35                                               ` Texas Cyberthal
2020-11-30  7:50                                                 ` Ihor Radchenko
2020-11-30 10:25                                                   ` Texas Cyberthal
2020-11-30 10:57                                                 ` Jean Louis
2020-11-30 12:27                                                   ` Ihor Radchenko
2020-11-30 12:28                                                   ` Ihor Radchenko
2020-11-30 19:00                                                     ` Jean Louis
2020-12-02  2:56                                                       ` Ihor Radchenko
2020-12-02  6:14                                                         ` Jean Louis
2020-12-02  7:23                                                           ` Ihor Radchenko
2020-11-21 16:55       ` Jean Louis
2020-11-21 22:48         ` Dr. Arne Babenhauserheide
2020-11-22  0:48           ` Jean Louis
2020-11-22  2:47             ` briangpowell
2020-11-22 17:55               ` Jean Louis
2020-11-21  6:12 ` Palak Mathur
2020-11-21  9:04   ` Jean Louis
2020-11-21  6:36 ` Jean Louis
2020-11-21  7:17   ` Texas Cyberthal
2020-11-21  9:53     ` Jean Louis
2020-11-21 10:15       ` Tim Cross
2020-11-21 11:18         ` Jean Louis
2020-11-21 14:44       ` Texas Cyberthal
2020-11-21 15:45         ` Jean Louis
2020-11-23  5:40     ` Ihor Radchenko
2020-11-24  9:00       ` Jean Louis
2020-11-24  9:45         ` Eric S Fraga
2020-11-24  9:51           ` Jean Louis
2020-11-24 11:42             ` Eric S Fraga
2020-11-24 13:13               ` Diego Zamboni
2020-11-24 13:49                 ` Jean Louis
2020-11-24 17:02                 ` Jean Louis
2020-11-24 18:50                   ` Dr. Arne Babenhauserheide
2020-11-24 18:58                     ` Jean Louis
2020-11-25  6:39                       ` Tim Cross
2020-11-25 12:38                         ` Local variables insecurities - " Jean Louis
2020-11-25 13:05                           ` Eric S Fraga
2020-11-25 13:13                             ` Jean Louis
2020-11-25 13:58                               ` Eric S Fraga
2020-11-25 14:07                                 ` Jean Louis
2020-11-25 20:54                                   ` Tim Cross
2020-11-25 22:09                                     ` Jean Louis
2020-11-26  2:06                                       ` Tom Gillespie
2020-11-26  5:06                                         ` Jean Louis
2020-11-26  5:31                                         ` Jean Louis
2020-11-26  6:18                                           ` Tom Gillespie
2020-11-26  9:10                                             ` Jean Louis
2020-11-26 11:44                                           ` Detlef Steuer
2020-11-26 12:06                                             ` Jean Louis
2020-11-26  5:34                                         ` Greg Minshall
2020-11-26  5:49                                           ` Jean Louis
2020-11-26  8:39                             ` Christian Moe
2020-11-25  8:10                       ` Dr. Arne Babenhauserheide
2020-11-25  8:36                         ` Local variables liberties Jean Louis
2020-11-24 20:11                     ` One vs many directories Tom Gillespie
2020-11-24 20:39                       ` Tim Cross
2020-11-25  4:54                         ` Jean Louis
2020-11-25  5:54                           ` Tim Cross
2020-11-25  7:01                             ` Local variables issue - " Jean Louis
2020-11-25  5:06                         ` Jean Louis
2020-11-25  7:00                           ` Tim Cross
2020-11-25  8:23                             ` Security issues in Emacs packages Jean Louis
2020-11-25  9:07                               ` tomas
2020-11-25  9:26                                 ` Jean Louis
2020-11-25 10:41                                   ` tomas
2020-11-25 22:46                               ` Tim Cross
2020-11-25 23:07                                 ` Jean Louis
2020-11-25 23:39                                   ` Tim Cross
2020-11-26  5:24                                     ` Jean Louis
2020-11-26  6:46                                       ` Tim Cross
2020-11-26  5:29                                 ` Greg Minshall
2020-11-26  5:53                                   ` Jean Louis
2020-11-26  6:35                                   ` Tim Cross
2020-11-26 12:27                                     ` Greg Minshall [this message]
2020-11-26 22:20                                       ` Tim Cross
2020-11-27  2:19                                         ` Jean Louis
2020-11-27  4:42                                         ` Greg Minshall
2020-11-25  4:44                       ` One vs many directories Jean Louis
2020-11-25 10:19           ` org-sbe to automate some source block executions Jean Louis
2020-11-25 11:39             ` Ihor Radchenko
2020-11-25 15:06               ` Jean Louis
2020-11-25 11:46           ` One vs many directories Jean Louis
2020-11-25 13:07             ` Eric S Fraga
2020-11-25 13:14               ` Jean Louis
2020-11-25 13:12             ` Ihor Radchenko
2020-11-25 13:32               ` Jean Louis
2020-11-24 18:47         ` Dr. Arne Babenhauserheide
2020-11-24 18:54           ` Jean Louis
2020-11-25  8:14             ` Dr. Arne Babenhauserheide
2020-11-25  8:46               ` Jean Louis
2020-11-25 11:46                 ` Ihor Radchenko
2020-11-26 12:47                   ` Jean Louis
2020-11-26 13:27                     ` Ihor Radchenko
2020-12-02 10:12                       ` Jean Louis
2020-12-02  9:49                   ` Jean Louis
2020-11-26  3:47           ` Ihor Radchenko
2020-11-26  3:32         ` Ihor Radchenko
2020-11-26 11:58           ` Jean Louis
2020-11-29  7:56             ` Ihor Radchenko
2020-11-29 17:57               ` Jean Louis
2020-11-21 13:41 ` Jonathan McHugh
2020-11-21 14:04   ` Jean Louis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://orgmode.org

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3505547.1606393642@apollo2.minshall.org \
    --to=minshall@umich.edu \
    --cc=bugs@gnu.support \
    --cc=emacs-orgmode@gnu.org \
    --cc=theophilusx@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Org-mode mailing list

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://orgmode.org/list/0 list/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 list list/ https://orgmode.org/list \
		emacs-orgmode@gnu.org
	public-inbox-index list

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.emacs.orgmode
	nntp://news.gmane.io/gmane.emacs.orgmode


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git