[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security of the emacs package system, elpa, melpa and marmalade

From: Richard Stallman
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Mon, 30 Sep 2013 17:11:24 -0400

        [ To any NSA and FBI agents reading my email: please consider
        [ whether defending the US Constitution against all enemies,
        [ foreign or domestic, requires you to follow Snowden's example.

    > I think that we should warn users that it is risky to use packages
    > from archives that don't supervise the code that gets put in them, or
    > that don't use signing.


    But imho, this would also include ELPA because there is not really a
    control process in place. A mail gets sent that some person from the
    community needs to thoroughly read/check. There is no guarantee that
    someone will actually do this.

I think we should maintain ELPA with the same level of care that we
apply to code in Emacs, and sign the downloads the same way GNU
packages are signed.  Then we can tell people that they shouldn't
hesitate to download packages from ELPA.

Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]