From: Tim Cross <theophilusx@gmail.com>
To: Jean Louis <bugs@gnu.support>
Cc: emacs-orgmode@gnu.org
Subject: Re: Security issues in Emacs packages
Date: Thu, 26 Nov 2020 10:39:57 +1100
Message-ID: <87h7pd6m5u.fsf@gmail.com> (raw)
In-Reply-To: <X77jlBDGaVeF9/u+@protected.rcdrun.com>
Jean Louis <bugs@gnu.support> writes:
>>
>> this is wrong. In melpa you specify either a commit (SHA) or a branch or
>> both. The repository owner has control over this. MELPA doesn't just
>> pull data from the repository because there has bene an update. You can
>> configure things so that whenever data is committed to a release branch,
>> it is pulled, but this is under the control of the repository owner. It
>> isn't that different to ELPA where the maintainer will either push new
>> data to the ELPA repository (or ask someone with write permission to
>> pull it from their repository).
>
> OK it is great that it is so. Are you maybe author doing it? Is there
> any reference that authors are doing so? I have MELPA downloaded you
> could tell me how do I see that author is deciding if package is for
> release?
>
You can clone the melpa repository and see the recipes for each package.
It depends on how the author specifies their MELPA recipe. They can
define their recipe based on a specific commit (SHA). If they do this,
it doesn't matter how often or when MELPA pulls from the repository as
they will always get the same commit.
They can also specify a branch rather than a commit SHA. In this case,
MELPA will retrieve updates from that branch, so when that branch is
updated, it will pull new data. In this case, it is up to the developer
to manage their 'release' branch appropriately. when they are ready for
a new release, they push their updates to the release branch and update
the version tag. This is pretty much the same as ELPA works for external
packages (those which don't manage their code within the GNU ELPA repository itself)
>
> So is there automatic pulling?
>
> I compare automatic pulling and building to author's decision on when
> a package would be issued.
>
Your model is flawed. You can have both automatic pulling AND author
control over when a new package is issued.
If author defines their MELPA recipe to use a SHA a new package will not
be issued until they update their recipe with a new SHA.
If author defines their MELPA recipe to pull from a release branch, a
new package will not be issued until they update the release branch and
version tag.
MELPA does not automatically generate a new package just because
something has changed within the git repository. It has to be a change
to a specified branch and update to the version tag or it has to be a
change in the recipe with an update to the commit SHA.
--
Tim Cross
next prev parent reply other threads:[~2020-11-25 23:40 UTC|newest]
Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-21 0:33 One vs many directories Texas Cyberthal
2020-11-21 5:13 ` Ihor Radchenko
2020-11-21 7:56 ` Jean Louis
2020-11-21 8:31 ` Texas Cyberthal
2020-11-21 9:29 ` Marvin ‘quintus’ Gülker
2020-11-21 10:21 ` Jean Louis
2020-11-21 15:00 ` Texas Cyberthal
2020-11-21 16:08 ` Jean Louis
2020-11-21 15:03 ` Dr. Arne Babenhauserheide
2020-11-21 15:45 ` Texas Cyberthal
2020-11-21 17:12 ` Jean Louis
2020-11-21 18:01 ` Texas Cyberthal
2020-11-21 18:57 ` Jean Louis
2020-11-22 6:36 ` Ihor Radchenko
2020-11-22 7:20 ` Jean Louis
2020-11-22 8:32 ` Ihor Radchenko
2020-11-22 8:56 ` Jean Louis
2020-11-21 22:36 ` Dr. Arne Babenhauserheide
[not found] ` <CAMUm491Psp0u5JKyGROP6M=UfAcvOLTtOKAD1rOearV+KxgYdQ@mail.gmail.com>
[not found] ` <87r1olfvh4.fsf@web.de>
2020-11-23 9:50 ` Texas Cyberthal
2020-11-23 13:17 ` Jean Louis
2020-11-23 14:16 ` Ihor Radchenko
2020-11-23 18:08 ` Is Org really so simple? Jean Louis
2020-11-23 20:41 ` Tom Gillespie
2020-11-24 5:06 ` Jean Louis
2020-11-26 3:08 ` Ihor Radchenko
2020-11-26 8:57 ` Jean Louis
2020-11-29 7:20 ` Ihor Radchenko
2020-11-29 16:22 ` Jean Louis
2020-11-26 18:07 ` Dr. Arne Babenhauserheide
2020-11-26 23:09 ` David Rogers
2020-11-27 0:43 ` Tim Cross
2020-11-27 2:56 ` Jean Louis
2020-11-23 16:07 ` One vs many directories Texas Cyberthal
2020-11-23 19:20 ` Jean Louis
2020-11-24 7:55 ` Ihor Radchenko
2020-11-28 16:16 ` Jean Louis
2020-11-28 16:33 ` Christopher Dimech
2020-11-25 6:57 ` Texas Cyberthal
2020-11-25 9:51 ` Jean Louis
2020-11-25 10:39 ` Texas Cyberthal
2020-11-25 11:02 ` Jean Louis
2020-11-26 16:04 ` Texas Cyberthal
2020-11-26 17:31 ` Jean Louis
2020-11-27 9:00 ` Texas Cyberthal
2020-11-27 10:45 ` Jean Louis
2020-11-28 8:18 ` Texas Cyberthal
2020-11-28 10:09 ` Jean Louis
2020-11-29 6:18 ` Texas Cyberthal
2020-11-29 6:53 ` Jean Louis
2020-11-30 7:35 ` Texas Cyberthal
2020-11-30 7:50 ` Ihor Radchenko
2020-11-30 10:25 ` Texas Cyberthal
2020-11-30 10:57 ` Jean Louis
2020-11-30 12:27 ` Ihor Radchenko
2020-11-30 12:28 ` Ihor Radchenko
2020-11-30 19:00 ` Jean Louis
2020-12-02 2:56 ` Ihor Radchenko
2020-12-02 6:14 ` Jean Louis
2020-12-02 7:23 ` Ihor Radchenko
2020-11-21 16:55 ` Jean Louis
2020-11-21 22:48 ` Dr. Arne Babenhauserheide
2020-11-22 0:48 ` Jean Louis
2020-11-22 2:47 ` briangpowell
2020-11-22 17:55 ` Jean Louis
2020-11-21 6:12 ` Palak Mathur
2020-11-21 9:04 ` Jean Louis
2020-11-21 6:36 ` Jean Louis
2020-11-21 7:17 ` Texas Cyberthal
2020-11-21 9:53 ` Jean Louis
2020-11-21 10:15 ` Tim Cross
2020-11-21 11:18 ` Jean Louis
2020-11-21 14:44 ` Texas Cyberthal
2020-11-21 15:45 ` Jean Louis
2020-11-23 5:40 ` Ihor Radchenko
2020-11-24 9:00 ` Jean Louis
2020-11-24 9:45 ` Eric S Fraga
2020-11-24 9:51 ` Jean Louis
2020-11-24 11:42 ` Eric S Fraga
2020-11-24 13:13 ` Diego Zamboni
2020-11-24 13:49 ` Jean Louis
2020-11-24 17:02 ` Jean Louis
2020-11-24 18:50 ` Dr. Arne Babenhauserheide
2020-11-24 18:58 ` Jean Louis
2020-11-25 6:39 ` Tim Cross
2020-11-25 12:38 ` Local variables insecurities - " Jean Louis
2020-11-25 13:05 ` Eric S Fraga
2020-11-25 13:13 ` Jean Louis
2020-11-25 13:58 ` Eric S Fraga
2020-11-25 14:07 ` Jean Louis
2020-11-25 20:54 ` Tim Cross
2020-11-25 22:09 ` Jean Louis
2020-11-26 2:06 ` Tom Gillespie
2020-11-26 5:06 ` Jean Louis
2020-11-26 5:31 ` Jean Louis
2020-11-26 6:18 ` Tom Gillespie
2020-11-26 9:10 ` Jean Louis
2020-11-26 11:44 ` Detlef Steuer
2020-11-26 12:06 ` Jean Louis
2020-11-26 5:34 ` Greg Minshall
2020-11-26 5:49 ` Jean Louis
2020-11-26 8:39 ` Christian Moe
2020-11-25 8:10 ` Dr. Arne Babenhauserheide
2020-11-25 8:36 ` Local variables liberties Jean Louis
2020-11-24 20:11 ` One vs many directories Tom Gillespie
2020-11-24 20:39 ` Tim Cross
2020-11-25 4:54 ` Jean Louis
2020-11-25 5:54 ` Tim Cross
2020-11-25 7:01 ` Local variables issue - " Jean Louis
2020-11-25 5:06 ` Jean Louis
2020-11-25 7:00 ` Tim Cross
2020-11-25 8:23 ` Security issues in Emacs packages Jean Louis
2020-11-25 9:07 ` tomas
2020-11-25 9:26 ` Jean Louis
2020-11-25 10:41 ` tomas
2020-11-25 22:46 ` Tim Cross
2020-11-25 23:07 ` Jean Louis
2020-11-25 23:39 ` Tim Cross [this message]
2020-11-26 5:24 ` Jean Louis
2020-11-26 6:46 ` Tim Cross
2020-11-26 5:29 ` Greg Minshall
2020-11-26 5:53 ` Jean Louis
2020-11-26 6:35 ` Tim Cross
2020-11-26 12:27 ` Greg Minshall
2020-11-26 22:20 ` Tim Cross
2020-11-27 2:19 ` Jean Louis
2020-11-27 4:42 ` Greg Minshall
2020-11-25 4:44 ` One vs many directories Jean Louis
2020-11-25 10:19 ` org-sbe to automate some source block executions Jean Louis
2020-11-25 11:39 ` Ihor Radchenko
2020-11-25 15:06 ` Jean Louis
2020-11-25 11:46 ` One vs many directories Jean Louis
2020-11-25 13:07 ` Eric S Fraga
2020-11-25 13:14 ` Jean Louis
2020-11-25 13:12 ` Ihor Radchenko
2020-11-25 13:32 ` Jean Louis
2020-11-24 18:47 ` Dr. Arne Babenhauserheide
2020-11-24 18:54 ` Jean Louis
2020-11-25 8:14 ` Dr. Arne Babenhauserheide
2020-11-25 8:46 ` Jean Louis
2020-11-25 11:46 ` Ihor Radchenko
2020-11-26 12:47 ` Jean Louis
2020-11-26 13:27 ` Ihor Radchenko
2020-12-02 10:12 ` Jean Louis
2020-12-02 9:49 ` Jean Louis
2020-11-26 3:47 ` Ihor Radchenko
2020-11-26 3:32 ` Ihor Radchenko
2020-11-26 11:58 ` Jean Louis
2020-11-29 7:56 ` Ihor Radchenko
2020-11-29 17:57 ` Jean Louis
2020-11-21 13:41 ` Jonathan McHugh
2020-11-21 14:04 ` Jean Louis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://orgmode.org
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h7pd6m5u.fsf@gmail.com \
--to=theophilusx@gmail.com \
--cc=bugs@gnu.support \
--cc=emacs-orgmode@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Org-mode mailing list
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://orgmode.org/list/0 list/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 list list/ https://orgmode.org/list \
emacs-orgmode@gnu.org
public-inbox-index list
Example config snippet for mirrors.
Newsgroups are available over NNTP:
nntp://news.yhetil.org/yhetil.emacs.orgmode
nntp://news.gmane.io/gmane.emacs.orgmode
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git