bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19479: Package manager vulnerable


From: Kelly Dean
Subject: bug#19479: Package manager vulnerable
Date: Thu, 08 Jan 2015 11:40:25 +0000

BTW, Stefan mentioned (see bug #19536) that you don't use package-x for 
elpa.gnu.org, and instead use some other scripts, so it just occurred to me 
that you might not immediately notice that my patch not only verifies hashes, 
but also generates them, so there's nothing extra you need to do.

Just use package-upload-file from package-x.el, and it will automatically add 
the appropriate entry (including hash) for the package to the archive-contents 
file.

Apply the fix for bug #19536 if you want package-upload-file to correctly add 
tar files to the archive's package directory. (It already correctly adds 
single-file packages.)

GNU elpa, Melpa, and Marmalade can start using the new archive-contents now. 
Old clients will still work fine, and simply ignore the hashes. New clients 
will verify them.





reply via email to

[Prev in Thread] Current Thread [Next in Thread]