emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii

From: Adam Porter
Subject: Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii
Date: Sun, 29 Aug 2021 19:01:25 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) 
Clément Pit-Claudel <cpitclaudel@gmail.com> writes:

> On 8/29/21 6:52 PM, Adam Porter wrote:
>> Hi Stefan, et al,
>> 
>> Having added taxy.el to ELPA, I noticed that its README.org file isn't
>> very readable on the ELPA site, because it's rendered as a raw file,
>> including long lines that extend beyond the edge of the HTML PRE block,
>> raw Org-syntax, etc.
>> 
>> Thankfully, Org has an ASCII/UTF-8 export backend that cleanly renders
>> Org to plain text.  It only took a few lines of to make use of it.
>> Please see the attached patches.  (While I was at it, I took the liberty
>> of adding a couple of docstrings and renaming a few variables to help me
>> understand the code.)
>
> How much does security matter in this case?  AFAIR exporting an Org
> file can run arbitrary code; would this patch allow a package in ELPA
> to subvert the build process of another package?
>
> And if so, is that a problem, or is there sufficient scrutiny of the
> inputs to ELPA?  IIRC any package author can push to ELPA and updates
> will propagate immediately, so the worry would be that in the time
> between the introduction of a worm and its detection a large number of
> end users might install bad code.

Hi Clément,

Yes, that's a good question.  I don't know if I can fully answer it,
myself.

I would guess that those who have commit access to ELPA are considered
trusted, and regardless of potentially using Org Export while building
packages, those committers could already add malicious code that could
end up being distributed to users until someone noticed and reverted the
changes.

Also, AFAIU, ELPA already runs Makefiles for packages as part of the
build process, and those can run arbitrary code, which I guess could do
things like modify other packages, modify the build process or scripts,
or anything else that the user account the build process runs as could
do on the server.

So, based on my understanding, this change wouldn't make the build
process less secure, per se.  One might say that it could offer a new
way in which to obfuscate or hide malicious code, but I'd guess that,
since we already seem to trust the people who can commit to ELPA now,
this wouldn't change the status quo.

Please let me know if I'm missing something.  :)  Thanks.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]