emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ELPA security


From: George Kadianakis
Subject: ELPA security
Date: Sun, 09 Dec 2012 16:41:50 +0200
User-agent: Microsoft Outlook Express 6.00.2900.5843

Hi,

I've been looking into ELPA (the Emacs Lisp Package Archive) and I
noticed that package.el provides no security of any kind. It doesn't
do signatures, SSL, timestamps or anything.

Are you actually considering deploying a system that downloads
untrusted code from the Internet every time a user asks for a new
package or asks to upgrade his current packages?

Package management is serious business [0]. It's sad to see ELPA
approaching the problem so insecurely.

Can't you at the very least, enable HTTPS on tromey.com and pin its
public key on package.el?

Thanks!

[0]:
http://isis.poly.edu/~jcappos/papers/cappos_pmsec_tr08-02.pdf
https://www.cs.arizona.edu/stork/packagemanagersecurity/
or just search google for "package manager security".



reply via email to

[Prev in Thread] Current Thread [Next in Thread]