[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security in the emacs package ecosystem
From: |
Thomas Koch |
Subject: |
Re: Security in the emacs package ecosystem |
Date: |
Sat, 11 Mar 2023 21:45:52 +0200 (EET) |
I believe, the question of the original poster has not been addressed. It was
about Emacs packages, not about Emacs itself.
The Emacs manual only mentions, that package archives can be signed and that
"Package archives should provide instructions on how you can obtain their
public key." (emacs, 48.3 Package Installation)
There are no such instructions on https://elpa.gnu.org nor is there any
information on security.
(Somewhat rude question: Is Gnu Emacs trusting the security of its users to
Microsofts GitHub?)
Related:
-
https://www.reddit.com/r/emacs/comments/63e8hu/are_emacs_package_repositories_a_security_risk/
- 2013 thread: "security of the emacs package system, elpa, melpa and marmalade"
https://lists.gnu.org/archive/html/emacs-devel/2013-09/msg00450.html
- https://theupdateframework.io should be helpful for anybody working on
software update systems
- Re: Security in the emacs package ecosystem,
Thomas Koch <=