[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ELPA security
From: |
George Kadianakis |
Subject: |
ELPA security |
Date: |
Sun, 09 Dec 2012 16:41:50 +0200 |
User-agent: |
Microsoft Outlook Express 6.00.2900.5843 |
Hi,
I've been looking into ELPA (the Emacs Lisp Package Archive) and I
noticed that package.el provides no security of any kind. It doesn't
do signatures, SSL, timestamps or anything.
Are you actually considering deploying a system that downloads
untrusted code from the Internet every time a user asks for a new
package or asks to upgrade his current packages?
Package management is serious business [0]. It's sad to see ELPA
approaching the problem so insecurely.
Can't you at the very least, enable HTTPS on tromey.com and pin its
public key on package.el?
Thanks!
[0]:
http://isis.poly.edu/~jcappos/papers/cappos_pmsec_tr08-02.pdf
https://www.cs.arizona.edu/stork/packagemanagersecurity/
or just search google for "package manager security".
- ELPA security,
George Kadianakis <=
- Re: ELPA security, Nic Ferrier, 2012/12/09
- Re: ELPA security, Ted Zlatanov, 2012/12/21
- Re: ELPA security, Xue Fuqiao, 2012/12/21
- Re: ELPA security, Bastien, 2012/12/22
- Re: ELPA security, Xue Fuqiao, 2012/12/22
- Re: ELPA security, Stephen J. Turnbull, 2012/12/22
- Re: ELPA security, Bastien, 2012/12/22
- Re: ELPA security, Bastien, 2012/12/22
- package.el + DVCS for security and convenience (was: ELPA security), Ted Zlatanov, 2012/12/22
- Re: package.el + DVCS for security and convenience, Nic Ferrier, 2012/12/24