emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installe

From: Lars Ingebrigtsen
Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS
Date: Sat, 08 Oct 2022 17:58:24 +0200
User-agent: Gnus/5.13 (Gnus v5.13) 
Philip Kaludercic <philipk@posteo.net> writes:

> - The ability to install a package directly from source using
>   `package-vc-fetch' (aliased to `package-checkout').  This
>   functionality is ideally VC generic.
>
> - The ability to update a package using `package-upgrade'[0]
>
> - Package metadata can either be inferred from the package URL (see
>   `package-vc-heusitic-alist') or via explicit hints from an ELPA
>   server.  I plan to add the necessary features to GNU and NonGNU ELPA
>   in time so that the heuristics can be avoided.
>
> - The ability to (i) contact, (ii) send bug reports and (iii) patches
>   (using the new `vc-patch-prepare') to package maintainers.

Sounds like great functionality, but I wonder whether the security
implications have been discussed?  Today, we use GNU ELPA as a filter of
sorts and people rely on code there not being compromised.

I assume "hints from an ELPA server" is basically a list of links to git
repositories?  If that's the case, then we may well end up with pointing
users towards repos that have been compromised.

If we don't have such a list, then adding the basic functionality sounds
useful anyway -- that is, allowing users to say `M-x
package-install-from-repo' or something and then they type in the URL of
that repo -- that's fine, and leaves the security implications to the
user (where they already are today for people that install from external
repos).

But if we list these repos in `M-x list-packages', that's a very
different issue.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]