emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in the emacs package ecosystem


From: Thomas Koch
Subject: Re: Security in the emacs package ecosystem
Date: Sat, 11 Mar 2023 21:45:52 +0200 (EET)

I believe, the question of the original poster has not been addressed. It was 
about Emacs packages, not about Emacs itself.

The Emacs manual only mentions, that package archives can be signed and that 
"Package archives should provide instructions on how you can obtain their 
public key." (emacs, 48.3 Package Installation)

There are no such instructions on https://elpa.gnu.org nor is there any 
information on security.

(Somewhat rude question: Is Gnu Emacs trusting the security of its users to 
Microsofts GitHub?)

Related:

- 
https://www.reddit.com/r/emacs/comments/63e8hu/are_emacs_package_repositories_a_security_risk/
- 2013 thread: "security of the emacs package system, elpa, melpa and marmalade"
  https://lists.gnu.org/archive/html/emacs-devel/2013-09/msg00450.html
- https://theupdateframework.io should be helpful for anybody working on 
software update systems



reply via email to

[Prev in Thread] Current Thread [Next in Thread]