[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Should package.el support notifying on package security updates

From: Stefan Monnier
Subject: Re: Fwd: Should package.el support notifying on package security updates?
Date: Fri, 12 Aug 2022 17:40:55 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)

> - There are actually very few security issues reported for Elisp
>   packages.  This doesn't mean there aren't any, only that they are
>   discovered and reported very rarely.

And I suspect that security issues are much more common than are reported.
[ Lots of Emacs packages are written under the implicit assumption that the
  current buffer contains something mildly-trustworthy.  ]

> - It would require package maintainers to somehow flag that an update is
>   a security update rather than just a standard update. As it is already
>   somewhat challenging to get many package maintainers to include
>   consistent change logs in their packages, I suspect then also asking
>   them to distinguish security updates from normal updatges may be
>   asking too much.

I'm not sure it would be a big problem.  But I'm not sure it would be an
improvement either.  Especially because I suspect it might give the
false impression that the code of ELisp packages is somewhat
security-conscious, whereas in my experience, the vast majority of Emacs
packages isn't (they may end up secure by accident, of course).


reply via email to

[Prev in Thread] Current Thread [Next in Thread]