[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ELPA security
From: |
Ted Zlatanov |
Subject: |
Re: ELPA security |
Date: |
Fri, 21 Dec 2012 09:32:22 -0500 |
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) |
On Sun, 09 Dec 2012 16:41:50 +0200 George Kadianakis <address@hidden> wrote:
GK> I've been looking into ELPA (the Emacs Lisp Package Archive) and I
GK> noticed that package.el provides no security of any kind. It doesn't
GK> do signatures, SSL, timestamps or anything.
GK> Are you actually considering deploying a system that downloads
GK> untrusted code from the Internet every time a user asks for a new
GK> package or asks to upgrade his current packages?
Who would *you* like to entrust with the user's security?
I am not questioning your direction, just thinking about it.
GK> Package management is serious business [0]. It's sad to see ELPA
GK> approaching the problem so insecurely.
GK> Can't you at the very least, enable HTTPS on tromey.com and pin its
GK> public key on package.el?
SSL can easily be compromised and may not be available on all
platforms.
I think the signing solution should be per-package, optional, functional
in older Emacsen without binary dependencies, and the user should be
able to override it on an individual or global basis. So it can't use
`curl', `gpg', or GnuTLS...
I also think `M-x list-packages' should define a `v' shortcut to file-find
the .el file or tarball that constitutes the package without installing
it. That will contribute to security and it's really convenient, too.
Ted
- ELPA security, George Kadianakis, 2012/12/09
- Re: ELPA security, Nic Ferrier, 2012/12/09
- Re: ELPA security,
Ted Zlatanov <=
- Re: ELPA security, Xue Fuqiao, 2012/12/21
- Re: ELPA security, Bastien, 2012/12/22
- Re: ELPA security, Xue Fuqiao, 2012/12/22
- Re: ELPA security, Stephen J. Turnbull, 2012/12/22
- Re: ELPA security, Bastien, 2012/12/22
- Re: ELPA security, Bastien, 2012/12/22
- package.el + DVCS for security and convenience (was: ELPA security), Ted Zlatanov, 2012/12/22
- Re: package.el + DVCS for security and convenience, Nic Ferrier, 2012/12/24
- Re: package.el + DVCS for security and convenience, Bastien, 2012/12/24
- Re: package.el + DVCS for security and convenience, Ted Zlatanov, 2012/12/24