[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA security

From: Stephen J. Turnbull
Subject: Re: ELPA security
Date: Sat, 22 Dec 2012 21:34:06 +0900

Xue Fuqiao writes:
 > On Sat, 22 Dec 2012 06:07:19 +0100
 > Bastien <address@hidden> wrote:
 > > What about simply distributing, within GNU Emacs the
 > > list of md5 hashes of valid(ated) packages?

Doesn't solve any problems that I can see.  You'll still need to
distribute the hashes for newly added or updated packages somehow.
People aren't going to reinstall Emacs just because of a package
update they might like to try, and even if they would, the burden on
the maintainers would be substantial.

 > It's quite easy and straightforward.  And maybe functions like
 > SHA-3 or MD6 are even better.

Get advice from someone who knows what they're talking about (which
isn't me, but I do know how much I don't know ;-).  As far as I can
tell, MD5 is clearly out of the question any more for security
purposes.  A hash believed secure for the foreseeable future is not a
huge computational burden in this application.  The only real question
is whether it's installed on the users' systems or not.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]