[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ELPA security

From: George Kadianakis
Subject: ELPA security
Date: Sun, 09 Dec 2012 16:41:50 +0200
User-agent: Microsoft Outlook Express 6.00.2900.5843


I've been looking into ELPA (the Emacs Lisp Package Archive) and I
noticed that package.el provides no security of any kind. It doesn't
do signatures, SSL, timestamps or anything.

Are you actually considering deploying a system that downloads
untrusted code from the Internet every time a user asks for a new
package or asks to upgrade his current packages?

Package management is serious business [0]. It's sad to see ELPA
approaching the problem so insecurely.

Can't you at the very least, enable HTTPS on tromey.com and pin its
public key on package.el?


or just search google for "package manager security".

reply via email to

[Prev in Thread] Current Thread [Next in Thread]