[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in the emacs package ecosystem

From: Ihor Radchenko
Subject: Re: Security in the emacs package ecosystem
Date: Sat, 04 Feb 2023 13:12:09 +0000

Husain Alshehhi <husain@alshehhi.io> writes:

> This issue is not new and seems to have been discussed before:
> <https://emacs-devel.gnu.narkive.com/atiq1AoP/security-of-the-emacs-package-system-elpa-melpa-and-marmalade>
> I was wondering if things have changed since then.

To followup, how are the plans (stated in the referenced discussion)
about signing ELPA packages?

AFAIK, ELPA currently re-builds package tarballs every time a new tag
appears in the source repo. No signature checks, nothing to prevent
potential breach in the source repo.

And ELPA tarballs themselves are not signed. Same for non-GNU ELPA,

Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]