[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security of the emacs package system, elpa, melpa and marmalade

From: Ted Zlatanov
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Mon, 30 Sep 2013 13:18:10 -0400
User-agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)

On Mon, 30 Sep 2013 17:10:43 +0200 Matthias Dahl <address@hidden> wrote: 

MD> Hello...
>> I would propose using the signature files above to provide that wall,
>> so auto-signing should not be done.  Instead a maintainer team should
>> review changes that need to go up on the GNU ELPA.

MD> Ted, that would be really nice to have but as it was brought up earlier
MD> in this thread, this is not gonna happen. And I can honestly understand
MD> why it can't happen. The amount of manpower required to really do this
MD> properly, is not something that could be easily shouldered by a team of
MD> trusted volunteers in a timely manner.

A much more complex version of this process works for Debian.  I think
the amount of changes is not bad for a daily review, especially if we
move to a branch+pull request+merge model for the GNU ELPA.  Github's
infrastructure and UI for this is quite good.  Oh, and of course the
same branch+pull request+merge model could apply to the Emacs core as
well; that IMO would be really nice.

I think it's much less likely that Emacs will be rewritten to provide a
sandbox for packages, and a community review process is more valuable in
the long term in any case.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]