[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in the emacs package ecosystem

From: Ihor Radchenko
Subject: Re: Security in the emacs package ecosystem
Date: Fri, 17 Feb 2023 10:21:37 +0000

Stefan Kangas <stefankangas@gmail.com> writes:

> I think we should add some flag to the build system saying that a
> package should only be released if the new tag has a valid signature.
> This would have to be optional for now.  (It is of course already best
> practice to always sign your tags regardless.)

This is a good measure and will certainly improve security.

Another consideration is that package recipes can be directly edited by
anyone. If an account of a person with write access to, for example,
ELPA is compromised, ELPA recipes can be arbitrarily manipulated for all
ELPA packages. This includes re-targeting the source repo or simply
disabling the signature verification.

I am raising this because a breach of a package repo means a significant
probability of leaked ssh keys. The same ssh keys can be used to access
ELPA then.

> GNU ELPA and NonGNU ELPA does sign packages, see for example:
>     https://elpa.gnu.org/packages/company-0.9.13.tar
>     https://elpa.gnu.org/packages/company-0.9.13.tar.sig
> For some reason, the signature file is not linked from the web
> interface.  I think we should add such a link.

I opened a bug report to create an actionable item on this.

> If I'm not mistaken, MELPA unfortunately does not sign packages.

Looking at 43.4 Creating and Maintaining Package Archives, signing is
actually recommended. WRT MELPA we can do the following:
1. Open an issue
2. Allow users to demand package.el to verify signatures when
   downloading packages. Interested users can then increase their
   security by rejecting packages without .sig file.

Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]