[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security in the emacs package ecosystem
From: |
Stefan Kangas |
Subject: |
Re: Security in the emacs package ecosystem |
Date: |
Sat, 4 Feb 2023 08:59:54 -0800 |
Ihor Radchenko <yantar92@posteo.net> writes:
> To followup, how are the plans (stated in the referenced discussion)
> about signing ELPA packages?
>
> AFAIK, ELPA currently re-builds package tarballs every time a new tag
> appears in the source repo. No signature checks, nothing to prevent
> potential breach in the source repo.
I think we should add some flag to the build system saying that a
package should only be released if the new tag has a valid signature.
This would have to be optional for now. (It is of course already best
practice to always sign your tags regardless.)
IMO, opening a feature request for this in the bug tracker would be
useful. A patch would be even better.
> And ELPA tarballs themselves are not signed. Same for non-GNU ELPA,
> AFAIK.
GNU ELPA and NonGNU ELPA does sign packages, see for example:
https://elpa.gnu.org/packages/company-0.9.13.tar
https://elpa.gnu.org/packages/company-0.9.13.tar.sig
For some reason, the signature file is not linked from the web
interface. I think we should add such a link.
If I'm not mistaken, MELPA unfortunately does not sign packages.
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/04
- Re: Security in the emacs package ecosystem,
Stefan Kangas <=
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Stefan Kangas, 2023/02/17
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/18
- Re: Security in the emacs package ecosystem, Eli Zaretskii, 2023/02/18
- Re: Security in the emacs package ecosystem, Richard Stallman, 2023/02/20
- Re: Security in the emacs package ecosystem, Po Lu, 2023/02/20
- Re: Security in the emacs package ecosystem, chad, 2023/02/20
- Making `package-check-signature' more restrictive by default, Stefan Kangas, 2023/02/18