Org-mode mailing list
 help / color / mirror / Atom feed
From: Tim Cross <theophilusx@gmail.com>
To: Jean Louis <bugs@gnu.support>
Cc: emacs-orgmode@gnu.org
Subject: Re: Security issues in Emacs packages
Date: Thu, 26 Nov 2020 17:46:43 +1100
Message-ID: <87360w62ek.fsf@gmail.com> (raw)
In-Reply-To: <X788JKq1bcUcAB4W@protected.rcdrun.com>


Jean Louis <bugs@gnu.support> writes:

> * Tim Cross <theophilusx@gmail.com> [2020-11-26 02:40]:
>> > OK it is great that it is so. Are you maybe author doing it? Is there
>> > any reference that authors are doing so? I have MELPA downloaded you
>> > could tell me how do I see that author is deciding if package is for
>> > release?
>> >
>>
>> You can clone the melpa repository and see the recipes for each
>> package.
>
> I did before some time.
>
>> It depends on how the author specifies their MELPA recipe. They can
>> define their recipe based on a specific commit (SHA). If they do this,
>> it doesn't matter how often or when MELPA pulls from the repository as
>> they will always get the same commit.
>
> I have not seen that, and I have assumed you would know better and
> wanted to see how authors are reporting that package is ready for
> release and I do not see that.
>
> Recipes are like this:
>
> (0blayout :repo "etu/0blayout-mode" :fetcher github)
>
> (0x0 :url "https://git.sr.ht/~zge/nullpointer-emacs" :fetcher git)
>
> (0xc :fetcher github :repo "AdamNiederer/0xc")
>
> So that recipe alone does not tell me that author reports that new
> package is ready, it is fetched from git, but there are parts of code
> that I did not see that is why I am assuming you know it better.
>
>> Your model is flawed. You can have both automatic pulling AND author
>> control over when a new package is issued.
>
> To make it practical tell me where is that author's control?
>
> I have quick view of files and any recipe files in directory
> melpa/recipes do not give me any pointers, it is all automated and
> fetched from git.
>
>> If author defines their MELPA recipe to use a SHA a new package will not
>> be issued until they update their recipe with a new SHA.
>
> You seem to be very confident and for this reason I assume you know it
> better, but due to contradictions please show one practical recipe or
> package where author has control on when is package ready to be
> released.
>
> $ grep sha *
>
> on recipes does not give any reference.
>
> $ grep commit *
>
> eval-in-repl:              :commit  "origin/master")
> git-auto-commit-mode:(git-auto-commit-mode :fetcher github :repo "ryuslash/git-auto-commit-mode")
> git-commit:(git-commit :fetcher github
> git-commit:            :files ("lisp/git-commit.el")
> git-commit:            :old-names (git-commit-mode))
> git-commit-insert-issue:(git-commit-insert-issue :fetcher gitlab :repo "emacs-stuff/git-commit-insert-issue")
> vc-auto-commit:(vc-auto-commit :fetcher github :repo "thisirs/vc-auto-commit")
> what-the-commit:(what-the-commit :fetcher github
> what-the-commit:         :repo "danielbarbarito/what-the-commit.el")
>
> So there is nothing I can find that points or references to what you
> say.
>
>> If author defines their MELPA recipe to pull from a release branch, a
>> new package will not be issued until they update the release branch and
>> version tag.
>
> I am sorry I do not see reference to it. You are convincing but I do
> not see reference.
>
> Recipe for bar-cursor:
> (bar-cursor :repo "ajsquared/bar-cursor"
> :fetcher github)
>
> Recipe for magit:
>
> (magit :fetcher github
>        :repo "magit/magit"
>        :files ("lisp/magit"
>                "lisp/magit*.el"
>                "lisp/git-rebase.el"
>                "Documentation/magit.texi"
>                "Documentation/AUTHORS.md"
>                "LICENSE"
>          (:exclude "lisp/magit-libgit.el"
>        ;; Cannot remove this yet because it would
>        ;; also be removed from the stable version.
>        ;; "lisp/magit-section.el"
>        )))
>
> Repo magit/magit:
> https://github.com/magit/magit
>
> I have given you references, maybe I cannot read that well, so you can
> give me references to show if authors have participation in decision.
>

The available recipe options are all clearly documented in the README
for the melpa repository. Most maintainers don't use the :commit option
because it is extremely inconvenient, but it is there if they want it.
It is inconvenient because it means the recipe has to be updated, which
means a pull request has to be accepted before the package can be released.

Most maintainers will maintain a specific branch for releases. This is
normal practice in version control. Often, this is the master branch,
but 'release' and 'melpa' are also commonly used. Code is not pushed
onto these branches until it is ready for release. The package
maintainer has full control of this branch and therefore has full
control over when new code is released. This is also the model used by
GNU ELPA for external packages.

This is not the model you imply, where MELPA just grabs the data
whenever it wants and releases new version without management by the
package maintainer, resulting in the release of code that is not ready
for release.

--
Tim Cross


  reply	other threads:[~2020-11-26  6:48 UTC|newest]

Thread overview: 151+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-21  0:33 One vs many directories Texas Cyberthal
2020-11-21  5:13 ` Ihor Radchenko
2020-11-21  7:56   ` Jean Louis
2020-11-21  8:31     ` Texas Cyberthal
2020-11-21  9:29       ` Marvin ‘quintus’ Gülker
2020-11-21 10:21       ` Jean Louis
2020-11-21 15:00         ` Texas Cyberthal
2020-11-21 16:08           ` Jean Louis
2020-11-21 15:03     ` Dr. Arne Babenhauserheide
2020-11-21 15:45       ` Texas Cyberthal
2020-11-21 17:12         ` Jean Louis
2020-11-21 18:01           ` Texas Cyberthal
2020-11-21 18:57             ` Jean Louis
2020-11-22  6:36           ` Ihor Radchenko
2020-11-22  7:20             ` Jean Louis
2020-11-22  8:32               ` Ihor Radchenko
2020-11-22  8:56                 ` Jean Louis
2020-11-21 22:36         ` Dr. Arne Babenhauserheide
     [not found]           ` <CAMUm491Psp0u5JKyGROP6M=UfAcvOLTtOKAD1rOearV+KxgYdQ@mail.gmail.com>
     [not found]             ` <87r1olfvh4.fsf@web.de>
2020-11-23  9:50               ` Texas Cyberthal
2020-11-23 13:17                 ` Jean Louis
2020-11-23 14:16                   ` Ihor Radchenko
2020-11-23 18:08                     ` Is Org really so simple? Jean Louis
2020-11-23 20:41                       ` Tom Gillespie
2020-11-24  5:06                         ` Jean Louis
2020-11-26  3:08                       ` Ihor Radchenko
2020-11-26  8:57                         ` Jean Louis
2020-11-29  7:20                           ` Ihor Radchenko
2020-11-29 16:22                             ` Jean Louis
2020-11-26 18:07                         ` Dr. Arne Babenhauserheide
2020-11-26 23:09                       ` David Rogers
2020-11-27  0:43                         ` Tim Cross
2020-11-27  2:56                         ` Jean Louis
2020-11-23 16:07                   ` One vs many directories Texas Cyberthal
2020-11-23 19:20                     ` Jean Louis
2020-11-24  7:55                       ` Ihor Radchenko
2020-11-28 16:16                         ` Jean Louis
2020-11-28 16:33                           ` Christopher Dimech
2020-11-25  6:57                       ` Texas Cyberthal
2020-11-25  9:51                         ` Jean Louis
2020-11-25 10:39                           ` Texas Cyberthal
2020-11-25 11:02                             ` Jean Louis
2020-11-26 16:04                               ` Texas Cyberthal
2020-11-26 17:31                                 ` Jean Louis
2020-11-27  9:00                                   ` Texas Cyberthal
2020-11-27 10:45                                     ` Jean Louis
2020-11-28  8:18                                       ` Texas Cyberthal
2020-11-28 10:09                                         ` Jean Louis
2020-11-29  6:18                                           ` Texas Cyberthal
2020-11-29  6:53                                             ` Jean Louis
2020-11-30  7:35                                               ` Texas Cyberthal
2020-11-30  7:50                                                 ` Ihor Radchenko
2020-11-30 10:25                                                   ` Texas Cyberthal
2020-11-30 10:57                                                 ` Jean Louis
2020-11-30 12:27                                                   ` Ihor Radchenko
2020-11-30 12:28                                                   ` Ihor Radchenko
2020-11-30 19:00                                                     ` Jean Louis
2020-12-02  2:56                                                       ` Ihor Radchenko
2020-12-02  6:14                                                         ` Jean Louis
2020-12-02  7:23                                                           ` Ihor Radchenko
2020-11-21 16:55       ` Jean Louis
2020-11-21 22:48         ` Dr. Arne Babenhauserheide
2020-11-22  0:48           ` Jean Louis
2020-11-22  2:47             ` briangpowell
2020-11-22 17:55               ` Jean Louis
2020-11-21  6:12 ` Palak Mathur
2020-11-21  9:04   ` Jean Louis
2020-11-21  6:36 ` Jean Louis
2020-11-21  7:17   ` Texas Cyberthal
2020-11-21  9:53     ` Jean Louis
2020-11-21 10:15       ` Tim Cross
2020-11-21 11:18         ` Jean Louis
2020-11-21 14:44       ` Texas Cyberthal
2020-11-21 15:45         ` Jean Louis
2020-11-23  5:40     ` Ihor Radchenko
2020-11-24  9:00       ` Jean Louis
2020-11-24  9:45         ` Eric S Fraga
2020-11-24  9:51           ` Jean Louis
2020-11-24 11:42             ` Eric S Fraga
2020-11-24 13:13               ` Diego Zamboni
2020-11-24 13:49                 ` Jean Louis
2020-11-24 17:02                 ` Jean Louis
2020-11-24 18:50                   ` Dr. Arne Babenhauserheide
2020-11-24 18:58                     ` Jean Louis
2020-11-25  6:39                       ` Tim Cross
2020-11-25 12:38                         ` Local variables insecurities - " Jean Louis
2020-11-25 13:05                           ` Eric S Fraga
2020-11-25 13:13                             ` Jean Louis
2020-11-25 13:58                               ` Eric S Fraga
2020-11-25 14:07                                 ` Jean Louis
2020-11-25 20:54                                   ` Tim Cross
2020-11-25 22:09                                     ` Jean Louis
2020-11-26  2:06                                       ` Tom Gillespie
2020-11-26  5:06                                         ` Jean Louis
2020-11-26  5:31                                         ` Jean Louis
2020-11-26  6:18                                           ` Tom Gillespie
2020-11-26  9:10                                             ` Jean Louis
2020-11-26 11:44                                           ` Detlef Steuer
2020-11-26 12:06                                             ` Jean Louis
2020-11-26  5:34                                         ` Greg Minshall
2020-11-26  5:49                                           ` Jean Louis
2020-11-26  8:39                             ` Christian Moe
2020-11-25  8:10                       ` Dr. Arne Babenhauserheide
2020-11-25  8:36                         ` Local variables liberties Jean Louis
2020-11-24 20:11                     ` One vs many directories Tom Gillespie
2020-11-24 20:39                       ` Tim Cross
2020-11-25  4:54                         ` Jean Louis
2020-11-25  5:54                           ` Tim Cross
2020-11-25  7:01                             ` Local variables issue - " Jean Louis
2020-11-25  5:06                         ` Jean Louis
2020-11-25  7:00                           ` Tim Cross
2020-11-25  8:23                             ` Security issues in Emacs packages Jean Louis
2020-11-25  9:07                               ` tomas
2020-11-25  9:26                                 ` Jean Louis
2020-11-25 10:41                                   ` tomas
2020-11-25 22:46                               ` Tim Cross
2020-11-25 23:07                                 ` Jean Louis
2020-11-25 23:39                                   ` Tim Cross
2020-11-26  5:24                                     ` Jean Louis
2020-11-26  6:46                                       ` Tim Cross [this message]
2020-11-26  5:29                                 ` Greg Minshall
2020-11-26  5:53                                   ` Jean Louis
2020-11-26  6:35                                   ` Tim Cross
2020-11-26 12:27                                     ` Greg Minshall
2020-11-26 22:20                                       ` Tim Cross
2020-11-27  2:19                                         ` Jean Louis
2020-11-27  4:42                                         ` Greg Minshall
2020-11-25  4:44                       ` One vs many directories Jean Louis
2020-11-25 10:19           ` org-sbe to automate some source block executions Jean Louis
2020-11-25 11:39             ` Ihor Radchenko
2020-11-25 15:06               ` Jean Louis
2020-11-25 11:46           ` One vs many directories Jean Louis
2020-11-25 13:07             ` Eric S Fraga
2020-11-25 13:14               ` Jean Louis
2020-11-25 13:12             ` Ihor Radchenko
2020-11-25 13:32               ` Jean Louis
2020-11-24 18:47         ` Dr. Arne Babenhauserheide
2020-11-24 18:54           ` Jean Louis
2020-11-25  8:14             ` Dr. Arne Babenhauserheide
2020-11-25  8:46               ` Jean Louis
2020-11-25 11:46                 ` Ihor Radchenko
2020-11-26 12:47                   ` Jean Louis
2020-11-26 13:27                     ` Ihor Radchenko
2020-12-02 10:12                       ` Jean Louis
2020-12-02  9:49                   ` Jean Louis
2020-11-26  3:47           ` Ihor Radchenko
2020-11-26  3:32         ` Ihor Radchenko
2020-11-26 11:58           ` Jean Louis
2020-11-29  7:56             ` Ihor Radchenko
2020-11-29 17:57               ` Jean Louis
2020-11-21 13:41 ` Jonathan McHugh
2020-11-21 14:04   ` Jean Louis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://orgmode.org

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87360w62ek.fsf@gmail.com \
    --to=theophilusx@gmail.com \
    --cc=bugs@gnu.support \
    --cc=emacs-orgmode@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Org-mode mailing list

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://orgmode.org/list/0 list/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 list list/ https://orgmode.org/list \
		emacs-orgmode@gnu.org
	public-inbox-index list

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.emacs.orgmode
	nntp://news.gmane.io/gmane.emacs.orgmode


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git