emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installe

From: Stefan Monnier
Subject: Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS
Date: Sat, 08 Oct 2022 12:35:27 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) 
> If we don't have such a list, then adding the basic functionality sounds
> useful anyway -- that is, allowing users to say `M-x
> package-install-from-repo' or something and then they type in the URL of
> that repo -- that's fine, and leaves the security implications to the
> user (where they already are today for people that install from external
> repos).

Indeed there are 2 different steps:
- installing from a particular "URL" (well, a URL plus some extra side
  info, tho that side info can be empty in many cases).  AFAIK that's
  what Philip's code currently offers.
- provide some way to let the user specify a package name and let
  something else map that to a "URL".  This is the more risky step and
  I don't think his code implements that yet.  Not sure how to address
  the security issue at that step, other than by dumping the problem
  onto the users: show them the URL and ask them if they're OK with it.

But as Philip points out, the (Non)GNU ELPA packages, while signed and
all, just blindly pull from those same URLs to build the tarballs, so
the difference is not as large as it seems.

> But if we list these repos in `M-x list-packages', that's a very
> different issue.

It also depends on where the list comes from.


        Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]