From: Jean Louis <bugs@gnu.support> To: Tim Cross <theophilusx@gmail.com> Cc: Greg Minshall <minshall@umich.edu>, emacs-orgmode@gnu.org Subject: Re: Security issues in Emacs packages Date: Fri, 27 Nov 2020 05:19:43 +0300 Message-ID: <X8BiP4GyIgHg2Dh+@protected.rcdrun.com> (raw) In-Reply-To: <87wny74v5w.fsf@gmail.com> * Tim Cross <theophilusx@gmail.com> [2020-11-27 01:21]: > > Greg Minshall <minshall@umich.edu> writes: > > > Tim, > > > >> It could, but to get that level of assurance, you not only have to > >> verify the signature is valid (something which is automated if > >> enabled), you also need to verify that both packages have the exact > >> same signature, which is pretty much a manual process. So in addition > >> to telling you the version number, George would also need to > >> communicate the signature and that would need to be compared to the > >> signature you have in the package you downloaded to know that the > >> packages are in fact the same (you cannot rely on version numbers for > >> any real verification). > > > > if MELPA's release procedure prevented two separate releases of version > > 1.2.3 of package xYandZ from being released, wouldn't that obviate the > > requirement for George to give me signatures? that was my thought as to > > why a signed (MELPA, version number, package name) would be enough. > > (i've no idea if MELPA's procedures would actually conform to my > > "requirement".) > > > > Possibly, but I'm not sure it does/can. From my limited understanding, > the version number is determined by the git tag (for stable packages - I > think the date is used for unstable). This is as it should be as it > should be the package maintainer who controls the version number, not > the packaging service (especially for maintainers who use semantic > versioning where the version number actually conveys information about > the package). Before some days or weeks we discussed this in a different thread, not this mailing list. I think emacs-devel. Authors are by convention writing their version numbers in their packages aligned to the Emacs Lisp manual section on Packaging. MELPA is injecting their version they are taking from git as commit number. Thus MELPA does not use author's version number. It should be obvious from package-list-packages that same version of the package in GNU ELPA does not have same version number in MELPA, that is confusion created for no good reason but to minimize programming efforts at MELPA. > At the end of the day, this is essentially a supply chain problem. To > really have confidence, you need confidence in the whole supply chain, > not just the distribution centre. Either way it could be good and depends what does the distribution center do. If they are auditing packages and making sure of security or are they just packaging without any audit. Maybe distribution center verifies all PGP signatures and we may trust such center, maybe not. The OpenBSD software audits packages. It cannot ever be fully secure but for base system one can rest assured that developers have put a lot of effort in making it secure. Trust with users is then created based on the relation and background of the OS distribution. > Personally, I wish both GNU and Melpa had adopted a push mechanism for > package release. Something similar to npmjs.com where the package > author/maintainer would submit a signed package (publish) to the > repository. This would make it producers of the package code we trust, > not the distribution center (repository). I wish that too.
next prev parent reply other threads:[~2020-11-27 2:23 UTC|newest] Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-11-21 0:33 One vs many directories Texas Cyberthal 2020-11-21 5:13 ` Ihor Radchenko 2020-11-21 7:56 ` Jean Louis 2020-11-21 8:31 ` Texas Cyberthal 2020-11-21 9:29 ` Marvin ‘quintus’ Gülker 2020-11-21 10:21 ` Jean Louis 2020-11-21 15:00 ` Texas Cyberthal 2020-11-21 16:08 ` Jean Louis 2020-11-21 15:03 ` Dr. Arne Babenhauserheide 2020-11-21 15:45 ` Texas Cyberthal 2020-11-21 17:12 ` Jean Louis 2020-11-21 18:01 ` Texas Cyberthal 2020-11-21 18:57 ` Jean Louis 2020-11-22 6:36 ` Ihor Radchenko 2020-11-22 7:20 ` Jean Louis 2020-11-22 8:32 ` Ihor Radchenko 2020-11-22 8:56 ` Jean Louis 2020-11-21 22:36 ` Dr. Arne Babenhauserheide [not found] ` <CAMUm491Psp0u5JKyGROP6M=UfAcvOLTtOKAD1rOearV+KxgYdQ@mail.gmail.com> [not found] ` <87r1olfvh4.fsf@web.de> 2020-11-23 9:50 ` Texas Cyberthal 2020-11-23 13:17 ` Jean Louis 2020-11-23 14:16 ` Ihor Radchenko 2020-11-23 18:08 ` Is Org really so simple? Jean Louis 2020-11-23 20:41 ` Tom Gillespie 2020-11-24 5:06 ` Jean Louis 2020-11-26 3:08 ` Ihor Radchenko 2020-11-26 8:57 ` Jean Louis 2020-11-29 7:20 ` Ihor Radchenko 2020-11-29 16:22 ` Jean Louis 2020-11-26 18:07 ` Dr. Arne Babenhauserheide 2020-11-26 23:09 ` David Rogers 2020-11-27 0:43 ` Tim Cross 2020-11-27 2:56 ` Jean Louis 2020-11-23 16:07 ` One vs many directories Texas Cyberthal 2020-11-23 19:20 ` Jean Louis 2020-11-24 7:55 ` Ihor Radchenko 2020-11-28 16:16 ` Jean Louis 2020-11-28 16:33 ` Christopher Dimech 2020-11-25 6:57 ` Texas Cyberthal 2020-11-25 9:51 ` Jean Louis 2020-11-25 10:39 ` Texas Cyberthal 2020-11-25 11:02 ` Jean Louis 2020-11-26 16:04 ` Texas Cyberthal 2020-11-26 17:31 ` Jean Louis 2020-11-27 9:00 ` Texas Cyberthal 2020-11-27 10:45 ` Jean Louis 2020-11-28 8:18 ` Texas Cyberthal 2020-11-28 10:09 ` Jean Louis 2020-11-29 6:18 ` Texas Cyberthal 2020-11-29 6:53 ` Jean Louis 2020-11-30 7:35 ` Texas Cyberthal 2020-11-30 7:50 ` Ihor Radchenko 2020-11-30 10:25 ` Texas Cyberthal 2020-11-30 10:57 ` Jean Louis 2020-11-30 12:27 ` Ihor Radchenko 2020-11-30 12:28 ` Ihor Radchenko 2020-11-30 19:00 ` Jean Louis 2020-12-02 2:56 ` Ihor Radchenko 2020-12-02 6:14 ` Jean Louis 2020-12-02 7:23 ` Ihor Radchenko 2020-11-21 16:55 ` Jean Louis 2020-11-21 22:48 ` Dr. Arne Babenhauserheide 2020-11-22 0:48 ` Jean Louis 2020-11-22 2:47 ` briangpowell 2020-11-22 17:55 ` Jean Louis 2020-11-21 6:12 ` Palak Mathur 2020-11-21 9:04 ` Jean Louis 2020-11-21 6:36 ` Jean Louis 2020-11-21 7:17 ` Texas Cyberthal 2020-11-21 9:53 ` Jean Louis 2020-11-21 10:15 ` Tim Cross 2020-11-21 11:18 ` Jean Louis 2020-11-21 14:44 ` Texas Cyberthal 2020-11-21 15:45 ` Jean Louis 2020-11-23 5:40 ` Ihor Radchenko 2020-11-24 9:00 ` Jean Louis 2020-11-24 9:45 ` Eric S Fraga 2020-11-24 9:51 ` Jean Louis 2020-11-24 11:42 ` Eric S Fraga 2020-11-24 13:13 ` Diego Zamboni 2020-11-24 13:49 ` Jean Louis 2020-11-24 17:02 ` Jean Louis 2020-11-24 18:50 ` Dr. Arne Babenhauserheide 2020-11-24 18:58 ` Jean Louis 2020-11-25 6:39 ` Tim Cross 2020-11-25 12:38 ` Local variables insecurities - " Jean Louis 2020-11-25 13:05 ` Eric S Fraga 2020-11-25 13:13 ` Jean Louis 2020-11-25 13:58 ` Eric S Fraga 2020-11-25 14:07 ` Jean Louis 2020-11-25 20:54 ` Tim Cross 2020-11-25 22:09 ` Jean Louis 2020-11-26 2:06 ` Tom Gillespie 2020-11-26 5:06 ` Jean Louis 2020-11-26 5:31 ` Jean Louis 2020-11-26 6:18 ` Tom Gillespie 2020-11-26 9:10 ` Jean Louis 2020-11-26 11:44 ` Detlef Steuer 2020-11-26 12:06 ` Jean Louis 2020-11-26 5:34 ` Greg Minshall 2020-11-26 5:49 ` Jean Louis 2020-11-26 8:39 ` Christian Moe 2020-11-25 8:10 ` Dr. Arne Babenhauserheide 2020-11-25 8:36 ` Local variables liberties Jean Louis 2020-11-24 20:11 ` One vs many directories Tom Gillespie 2020-11-24 20:39 ` Tim Cross 2020-11-25 4:54 ` Jean Louis 2020-11-25 5:54 ` Tim Cross 2020-11-25 7:01 ` Local variables issue - " Jean Louis 2020-11-25 5:06 ` Jean Louis 2020-11-25 7:00 ` Tim Cross 2020-11-25 8:23 ` Security issues in Emacs packages Jean Louis 2020-11-25 9:07 ` tomas 2020-11-25 9:26 ` Jean Louis 2020-11-25 10:41 ` tomas 2020-11-25 22:46 ` Tim Cross 2020-11-25 23:07 ` Jean Louis 2020-11-25 23:39 ` Tim Cross 2020-11-26 5:24 ` Jean Louis 2020-11-26 6:46 ` Tim Cross 2020-11-26 5:29 ` Greg Minshall 2020-11-26 5:53 ` Jean Louis 2020-11-26 6:35 ` Tim Cross 2020-11-26 12:27 ` Greg Minshall 2020-11-26 22:20 ` Tim Cross 2020-11-27 2:19 ` Jean Louis [this message] 2020-11-27 4:42 ` Greg Minshall 2020-11-25 4:44 ` One vs many directories Jean Louis 2020-11-25 10:19 ` org-sbe to automate some source block executions Jean Louis 2020-11-25 11:39 ` Ihor Radchenko 2020-11-25 15:06 ` Jean Louis 2020-11-25 11:46 ` One vs many directories Jean Louis 2020-11-25 13:07 ` Eric S Fraga 2020-11-25 13:14 ` Jean Louis 2020-11-25 13:12 ` Ihor Radchenko 2020-11-25 13:32 ` Jean Louis 2020-11-24 18:47 ` Dr. Arne Babenhauserheide 2020-11-24 18:54 ` Jean Louis 2020-11-25 8:14 ` Dr. Arne Babenhauserheide 2020-11-25 8:46 ` Jean Louis 2020-11-25 11:46 ` Ihor Radchenko 2020-11-26 12:47 ` Jean Louis 2020-11-26 13:27 ` Ihor Radchenko 2020-12-02 10:12 ` Jean Louis 2020-12-02 9:49 ` Jean Louis 2020-11-26 3:47 ` Ihor Radchenko 2020-11-26 3:32 ` Ihor Radchenko 2020-11-26 11:58 ` Jean Louis 2020-11-29 7:56 ` Ihor Radchenko 2020-11-29 17:57 ` Jean Louis 2020-11-21 13:41 ` Jonathan McHugh 2020-11-21 14:04 ` Jean Louis
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://orgmode.org * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=X8BiP4GyIgHg2Dh+@protected.rcdrun.com \ --to=bugs@gnu.support \ --cc=emacs-orgmode@gnu.org \ --cc=minshall@umich.edu \ --cc=theophilusx@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Org-mode mailing list This inbox may be cloned and mirrored by anyone: git clone --mirror https://orgmode.org/list/0 list/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 list list/ https://orgmode.org/list \ emacs-orgmode@gnu.org public-inbox-index list Example config snippet for mirrors. Newsgroups are available over NNTP: nntp://news.yhetil.org/yhetil.emacs.orgmode nntp://news.gmane.io/gmane.emacs.orgmode AGPL code for this site: git clone https://public-inbox.org/public-inbox.git