[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU ELPA security and Org-mode

From: Stefan Monnier
Subject: GNU ELPA security and Org-mode
Date: Thu, 06 Apr 2017 11:04:29 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)

I just realized that the GPG-signing we're doing in GNU ELPA is
weaker for the org-mode packages than for all other:

All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from

So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
  but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).

Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git.  This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,


reply via email to

[Prev in Thread] Current Thread [Next in Thread]