emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security of the emacs package system, elpa, melpa and marmalade


From: Stephen J. Turnbull
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Tue, 01 Oct 2013 11:19:50 +0900

Matthias Dahl writes:

 > I am not saying a sandbox is the best solution. But imho, something
 > should be done... or would be nice to have. Even if it is community
 > based reputation system.

We already have that.  GNU ELPA requires somebody who has been
acknowledged to be responsible to look at it before it gets added.
Some of the others don't.

 > Who said it should get those privileges denied? If it was installed and
 > declared its required permissions, it will get those. Or am I missing
 > something obvious from your statement/question here?

No, you're missing the fact that self-declaring required permissions
means you get all the permissions you need.  For good or evil....

 > > Sure.  But the chances are pretty good that I would.  Anyway, the
 > > definition of "absolutely need" is "I'm willing to bet that I or some
 > > other user would catch it even if the author doesn't."
 > 
 > So you check the source for the plugins you use with each new
 > update?

On exposed hosts and for applications that can be invoked by any user,
yes, I do.

 > Which shows, you care about security too and take preventive measures.
 > Unfortunately, not everybody can work that way for various reasons, though.

And those who don't will eventually pay the price.  That's OK, it may
very well be a rational choice to take the risk.  I do, on other hosts
with other purposes.  But the problem is that typically other people
*also* pay the price.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]