[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security of the emacs package system, elpa, melpa and marmalade

From: Matthias Dahl
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Mon, 30 Sep 2013 17:31:21 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0

Hello Stefan...

> [...]
> So such a sandboxing would mostly work as a "sanity check" which can
> catch coding errors/oversights rather than malicious code.

After the whole discussion, I agree, that a sandbox would not be the
holy grail to this problem, unfortunately. I still think it would be one
measure that should be complemented with others and work in concert with
those to be more effective as a whole.

> Another way to look at the problem is to perform code review.

Which would be very nice to have in general, naturally.

> So you could argue that the problem is not ELPA in general but
> "unsupervised" archives such as MELPA.

Excuse my straightforwardness but this feels like pushing responsibility
away to someone else. Neither ELPA, nor MELPA or Marmalade provide a
sufficient reviewing process to be considered effective, imho. So all of
those are more or less in the same boat. Naturally, some of the
solutions that would work for ELPA, could potentially be hard to do with
MELPA... but that is a different story.

I think a general solution that would benefit all, would be absolutely

So long,

Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration

reply via email to

[Prev in Thread] Current Thread [Next in Thread]