ELPA security

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ELPA security

From:	George Kadianakis
Subject:	ELPA security
Date:	Sun, 09 Dec 2012 16:41:50 +0200
User-agent:	Microsoft Outlook Express 6.00.2900.5843

Hi,

I've been looking into ELPA (the Emacs Lisp Package Archive) and I
noticed that package.el provides no security of any kind. It doesn't
do signatures, SSL, timestamps or anything.

Are you actually considering deploying a system that downloads
untrusted code from the Internet every time a user asks for a new
package or asks to upgrade his current packages?

Package management is serious business [0]. It's sad to see ELPA
approaching the problem so insecurely.

Can't you at the very least, enable HTTPS on tromey.com and pin its
public key on package.el?

Thanks!

[0]:
http://isis.poly.edu/~jcappos/papers/cappos_pmsec_tr08-02.pdf
https://www.cs.arizona.edu/stork/packagemanagersecurity/
or just search google for "package manager security".

[Prev in Thread]

Current Thread

[Next in Thread]

ELPA security, George Kadianakis <=
- Re: ELPA security, Nic Ferrier, 2012/12/09
- Re: ELPA security, Ted Zlatanov, 2012/12/21
  - Re: ELPA security, Xue Fuqiao, 2012/12/21
  - Re: ELPA security, Bastien, 2012/12/22
    - Re: ELPA security, Xue Fuqiao, 2012/12/22
    - Re: ELPA security, Stephen J. Turnbull, 2012/12/22
    - Re: ELPA security, Bastien, 2012/12/22
    - Re: ELPA security, Bastien, 2012/12/22
    - package.el + DVCS for security and convenience (was: ELPA security), Ted Zlatanov, 2012/12/22
    - Re: package.el + DVCS for security and convenience, Nic Ferrier, 2012/12/24

Prev by Date: Re: Two strange messages while building Emacs on MS-Windows
Next by Date: Re: Two strange messages while building Emacs on MS-Windows
Previous by thread: Why is `C-x 8' limited to Latin-1 for search?
Next by thread: Re: ELPA security
Index(es):
- Date
- Thread