[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19479: Package manager vulnerable
From: |
Kelly Dean |
Subject: |
bug#19479: Package manager vulnerable |
Date: |
Thu, 08 Jan 2015 11:40:25 +0000 |
BTW, Stefan mentioned (see bug #19536) that you don't use package-x for
elpa.gnu.org, and instead use some other scripts, so it just occurred to me
that you might not immediately notice that my patch not only verifies hashes,
but also generates them, so there's nothing extra you need to do.
Just use package-upload-file from package-x.el, and it will automatically add
the appropriate entry (including hash) for the package to the archive-contents
file.
Apply the fix for bug #19536 if you want package-upload-file to correctly add
tar files to the archive's package directory. (It already correctly adds
single-file packages.)
GNU elpa, Melpa, and Marmalade can start using the new archive-contents now.
Old clients will still work fine, and simply ignore the hashes. New clients
will verify them.