[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why are so many great packages not trying to get included in GNU Ema

From: Tim Cross
Subject: Re: Why are so many great packages not trying to get included in GNU Emacs?
Date: Fri, 24 Apr 2020 09:50:36 +1000

I don't think it is quite that simple.

Your not just trusting that person will do the right thing. You are also trusting that they also have good operational security. It is precisely this sort of trust model which resulted n a number of GNU/Linux distributions being compromised in the past. The same thing has occurred with NPM and other 'public' repositories. It wasn't that people who had access did the wrong thing, but rather people who had access who failed to secure their systems adequately.

You only need to do a search of places like github to see how often people accidentally commit sensitive data or look at the analysis of repositories that have been compromised to see how often this occured because passwords were poor, keys were not secured or sensitive data was accidentally posted to public forums.

The only real solution is one where each package maintainer is isolated from write access to code/packages they are not authorised to maintain. The challenge is, such setups usually also result in higher levels of maintenance overheads and that can often be a challenge for an organisation which needs to walk a tight line wrt funding.

To make matters worse, typically, it is almost impossible to have good security retro fitted to a solution this is something which needs to be designed into the architecture from the start. This means that to fix this problem would require a considerable amount of work and change. The change part is extremely difficult as most people simply don't like change (as is evident in many of the discussions about updating how we handle patches, pull requests, defaults, etc).

On Fri, 24 Apr 2020 at 07:51, Andrea Corallo <address@hidden> wrote:
Stefan Monnier <address@hidden> writes:

> That's right.  There is a practical problem, OTOH, which is that
> write/push access to a GNU ELPA package currently means write access to
> all GNU ELPA packages as well as to Emacs's repository.
> For this reason, while some GNU ELPA package maintainers can "just push"
> as they see fit, as it should be, others haven't yet been granted this
> right.  This is a problem which we should solve, indeed, for the benefit
> of those less-lucky package maintainers, as well as for the benefit of
> those Emacs maintainers who have to play the middle men, and more
> generally for the benefit of the GNU ELPA archive and hence Emacs users
> since the current situation tends to discourage submissions.
> Note that giving write access widely, as we do now, has advantages as
> well, in that it encourages package maintainers to participate in
> development of Emacs more generally.

To me the fact that a number of package maintainers is without write
access sounds quite odd.

If they are trusted to maintain a package they are supposed to have also
the skills to push correctly a git commit.

Looking at other Free Software projects I'm involved I can testify that
trust pays off and I think they should get write access.  My 2 cents.





Tim Cross

reply via email to

[Prev in Thread] Current Thread [Next in Thread]