Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS

[Tim Cross]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Philip Kaludercic <philipk@posteo.net> writes:
>
>> It seems to me that fetching a package from source is no more dangerous
>> than fetching a tarball, seeing as the tarball is automatically
>> generated from the repository.
>
> It doesn't matter much whether it's a tar ball or a git repo (although
> there is signing of the tar balls), but whether there's any oversight at
> all or not.  All commits to Non/GNU ELPA end up on a mailing list, which
> provides a smidgen of transparency, which is better than none.

Signing of tar balls may help a bit as it will typically mean you have
to both compromise the source repository and compromise the keys used
for signing. It raises the bar a bit. 

Posting commits to a mail list might provide some transparency, but next
to nothing for security. In fact, I would argue it is extremely
dangerous to assume it does anything for security. Just because
something is sent to a mailing list doesn't mean anyone actually looks
at it or performs any assessment.

I'm not sure anything Philip is proposing is making the situation
significantly worse because we are not doing anything proactive with
respect to security anyway. We are largely hoping 'someone else' has
reviewed it and flagged any security issues. While this might occur from
time to time, its ad hoc nature means it cannot be assumed to occur. 

We should educate users that all these methods, regardless of source,
have security implications. We should actively discourage any assumption
that we are similar to Apple whereby you can (supposedly) assume some
level of confidence regarding packages install from their App store.

The only level of confidence we can really provide wrt GNU ELPA and
nonGNU ELPA is that the packages in those repositories have acceptable
licenses.