[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#32544: [ELPA] core packages need generated files

From: Stefan Monnier
Subject: bug#32544: [ELPA] core packages need generated files
Date: Tue, 28 Aug 2018 07:54:46 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

>> I think the reasons why I'm more worried about elpa.gnu.org than the
>> end-user's machines include:
>> - very little time between the moment we receive the commit-diffs by
>>   email and the moment the code is run.  So even if we notice the
>>   offending code on the spot, there's not much time to react.
>> - elpa.gnu.org is part of infrastructure that Emacs users trust when
>>   downloading GNU ELPA packages (e.g. it holds the PGP signing key), so
>>   a breach could affect all GNU ELPA users (especially if not
>>   noticed).

One more reason:

- elpa.gnu.org *can* run that code in a sandbox, whereas the end-user
  really wants to run the package's code in his "real" system (or
  otherwise would need to run his whole Emacs session in a sandbox).

> Sounds very sensible, best of luck! :)

Hmm... looks like you forgot to attach the patch to your message.
Could you send it again, please?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]