[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security of the emacs package system, elpa, melpa and marmalade

From: Matthias Dahl
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Fri, 27 Sep 2013 16:18:03 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0

Hello Richard...

On 26/09/13 18:25, Richard Stallman wrote:

> * Surreptitious substitution of the wrong code
>   instead of what you think you are downloading.

In all honesty, I strongly believe that packages that contain malicious
code would fall under this category.

I think the world in Emacs has changed: It is now even easier to get
packages simply through the package system. Projects advertise that they
should be installed through (M)ELPA or Marmelade. Yet nowhere is any
mention about the security aspects of it.

- Neither repository checks the code for quality and security. And if
  a plugin should get withdrawn from a repository because it really was
  infected, there is no way to inform a user about it except through the
  bad press that followed.

  As a counter example: Plugins distributed through addons.mozilla.org
  are checked for security - initial versions as well as updates.

- An Emacs plugin can do whatever it chooses to do with the full
  privileges of the current user. But why give a plugin all such power
  in the first place? Informing the user beforehand what privileges a
  plugin required and thus tightening the belt on a plugin, would make
  things more transparent and more secure.

I would also _never_ install anything from MELPA if the source of it was
from the wiki which everyone can edit freely, afaik.

Sorry for the wall of text. :(

So long,

Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration

reply via email to

[Prev in Thread] Current Thread [Next in Thread]