Security in the emacs package ecosystem

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security in the emacs package ecosystem

From:	Husain Alshehhi
Subject:	Security in the emacs package ecosystem
Date:	Sun, 15 May 2022 20:53:31 +0000

Hello,

This issue is not new and seems to have been discussed before:
  
<https://emacs-devel.gnu.narkive.com/atiq1AoP/security-of-the-emacs-package-system-elpa-melpa-and-marmalade>

I was wondering if things have changed since then.

To summarize: most users in emacs downloads packages directly from the git 
repository. This is a security threat as there is nothing to prevent a 
malicious change from going to users. The malicious change could be posted 
through a hack, or could be posted by the owner of the package (in extreme 
cases). Is there anything currently in the ecosystem, or package repository, to 
prevent these sorts of issues? Are there any initiatives or ideas to address 
these issues? If not, what is the recommended (and practical) ways to be safe?

(Some solutions that are typically thrown out: manual code review of every 
package installed. Use distro package manager and have emacs packages go 
through the normal package review process of each distro. Package signing. 
melpa/elpa stamp of approval.)

Husain

[Prev in Thread]

Current Thread

[Next in Thread]

Security in the emacs package ecosystem, Husain Alshehhi <=

Prev by Date: Re: gmail+imap+smtp (oauth2)
Next by Date: [NonGNU] New packages: avy-menu, flyspell-correct and friends
Previous by thread: Re: master 2b3f3d421a: Make minibuffer lazy highlight setup buffer-local where appropriate
Next by thread: [NonGNU] New packages: avy-menu, flyspell-correct and friends
Index(es):
- Date
- Thread