[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installe
From: |
Lars Ingebrigtsen |
Subject: |
Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS |
Date: |
Sat, 08 Oct 2022 17:58:24 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Philip Kaludercic <philipk@posteo.net> writes:
> - The ability to install a package directly from source using
> `package-vc-fetch' (aliased to `package-checkout'). This
> functionality is ideally VC generic.
>
> - The ability to update a package using `package-upgrade'[0]
>
> - Package metadata can either be inferred from the package URL (see
> `package-vc-heusitic-alist') or via explicit hints from an ELPA
> server. I plan to add the necessary features to GNU and NonGNU ELPA
> in time so that the heuristics can be avoided.
>
> - The ability to (i) contact, (ii) send bug reports and (iii) patches
> (using the new `vc-patch-prepare') to package maintainers.
Sounds like great functionality, but I wonder whether the security
implications have been discussed? Today, we use GNU ELPA as a filter of
sorts and people rely on code there not being compromised.
I assume "hints from an ELPA server" is basically a list of links to git
repositories? If that's the case, then we may well end up with pointing
users towards repos that have been compromised.
If we don't have such a list, then adding the basic functionality sounds
useful anyway -- that is, allowing users to say `M-x
package-install-from-repo' or something and then they type in the URL of
that repo -- that's fine, and leaves the security implications to the
user (where they already are today for people that install from external
repos).
But if we list these repos in `M-x list-packages', that's a very
different issue.
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Philip Kaludercic, 2022/10/08
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS,
Lars Ingebrigtsen <=
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Philip Kaludercic, 2022/10/08
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Lars Ingebrigtsen, 2022/10/09
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Philip Kaludercic, 2022/10/09
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Lars Ingebrigtsen, 2022/10/09
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Philip Kaludercic, 2022/10/09
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Lars Ingebrigtsen, 2022/10/10
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Philip Kaludercic, 2022/10/10
- Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS, Philip Kaludercic, 2022/10/13
- Fetching or installing package dev source from VCS: names, Richard Stallman, 2022/10/15
- Re: Fetching or installing package dev source from VCS: names, Philip Kaludercic, 2022/10/16