[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in the emacs package ecosystem

From: Stefan Kangas
Subject: Re: Security in the emacs package ecosystem
Date: Fri, 17 Feb 2023 07:54:02 -0800

Ihor Radchenko <yantar92@posteo.net> writes:

> WRT MELPA we can do the following:
> 1. Open an issue

I had a look, and turns out that there is one already:


> 2. Allow users to demand package.el to verify signatures when
>    downloading packages. Interested users can then increase their
>    security by rejecting packages without .sig file.

Maybe I'm missing something, but isn't that `package-check-signature'?

Its current default is `allow-unsigned', however, which is about as
useful for security purposes as if it was nil.  I think we should
consider changing it to t in Emacs 30.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]