[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Should package.el support notifying on package security updates

From: Matt Armstrong
Subject: Re: Fwd: Should package.el support notifying on package security updates?
Date: Thu, 11 Aug 2022 17:04:09 -0700

Gulshan Singh <gsingh2011@gmail.com> writes:

> I recently reported a security issue for a package on MELPA, where
> even though I trusted the package author, if I used the package to
> process untrusted data that data code be crafted in a way to execute
> arbitrary code on my system. This led me to wonder if there was any
> mechanism for package.el to distinguish between regular updates and
> security updates, and I wasn't able to find any information on this.
> Has there been any past discussion on this? As an example, on Ubuntu you
> can see how many of the pending updates are security updates as opposed
> to regular updates, and you can configure the system to auto-update just
> the security updates. I feel like the package manager in emacs should
> have something similar, but maybe I'm missing something about why this
> functionality isn't included.

I am not an authority on Emacs packages, but as far as I am aware, there
is no mechanism in place to track security vulnerabilities in Emacs
packages or any way to urgently present available fixes to users
(e.g. by suggesting a partiular package upgrade is urgent).

One substantive discussion I found on package security issues in general
occurred on emacs-devel 9 years ago:

Subject: security of the emacs package system, elpa, melpa and marmalade
Date: Mon, 23 Sep 2013 09:30:35 +0200

Shortly after that discussion it looks like package.el was changed to
verify package signatures (at least optionally, based on the
availability of a gpg installation, which went through refinement over a
period of years).

reply via email to

[Prev in Thread] Current Thread [Next in Thread]