[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA security

From: Paul Nathan
Subject: Re: ELPA security
Date: Wed, 26 Dec 2012 09:32:44 -0800

On Sat, Dec 22, 2012 at 8:20 AM, Stefan Monnier <address@hidden> wrote:
> I also think `M-x list-packages' should define a `v' shortcut to file-find
> the .el file or tarball that constitutes the package without installing
> it.  That will contribute to security and it's really convenient, too.

Actually, "installation" has several steps:
- download.
- install per se (i.e. copies the files at an appropriate place).
- compile.
- setup (i.e. arrange things such that the package is in the load-path
  and its autoloads are active next time to start Emacs).

The first two steps can be made to be safe.



I would like to humbly provide some ideas here:

- In general, GNU is trusted (after all, we download our emacs from the GNU). This would imply to me that the GNU can GPG sign packages with a private/public key (Perhaps the precursor to this is emacs having a gpg implementation included).

- Then perhaps other repositories, such as marmalade could also sign their packages, and users could choose to trust that signature or not.

- Of course, this is analogous to the Debian/Launchpad/PPA approach, which has worked excellently for me and others. It may require quite a great deal of infrastructure work which I am entirely unfamiliar with. 


reply via email to

[Prev in Thread] Current Thread [Next in Thread]