[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security in the emacs package ecosystem
From: |
Husain Alshehhi |
Subject: |
Security in the emacs package ecosystem |
Date: |
Sun, 15 May 2022 20:53:31 +0000 |
Hello,
This issue is not new and seems to have been discussed before:
<https://emacs-devel.gnu.narkive.com/atiq1AoP/security-of-the-emacs-package-system-elpa-melpa-and-marmalade>
I was wondering if things have changed since then.
To summarize: most users in emacs downloads packages directly from the git
repository. This is a security threat as there is nothing to prevent a
malicious change from going to users. The malicious change could be posted
through a hack, or could be posted by the owner of the package (in extreme
cases). Is there anything currently in the ecosystem, or package repository, to
prevent these sorts of issues? Are there any initiatives or ideas to address
these issues? If not, what is the recommended (and practical) ways to be safe?
(Some solutions that are typically thrown out: manual code review of every
package installed. Use distro package manager and have emacs packages go
through the normal package review process of each distro. Package signing.
melpa/elpa stamp of approval.)
Husain
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Security in the emacs package ecosystem,
Husain Alshehhi <=