[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ELPA security

From: Ted Zlatanov
Subject: Re: ELPA security
Date: Mon, 31 Dec 2012 17:19:23 -0500
User-agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux)

On Mon, 31 Dec 2012 11:57:58 -0800 "Drew Adams" <address@hidden> wrote: 

Ted> add DVCS support to package.el, supporting Git and 
Ted> Bazaar, with the notion of "pull packages from repo X
Ted> at tag/commit Y" in addition to the current "pull packages
Ted> from URLs".  The VC package has to be involved
Ted> here, instead of writing custom code.
>> What is the reason for this?
>> FWIW, I considered and rejected this approach when writing package.el.
>> My reason was that I wanted packaging not to require any 
>> external tools, so it would be available to all Emacs users.
>> Also, KISS.
>> Mixing in VC seems to add a lot of potential failure modes.

DA> If Emacs Dev really wants to do this, why not separate it from package.el 
DA> make its use optional?

The intent is to have securely authenticated packagess from the GNU ELPA
by default.  Making the mechanism optional would defeat that plan.  But
it should be easy to override and put in "warn-only" or "I don't care"
modes, I think.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]