[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii
|
From: |
Adam Porter |
|
Subject: |
Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii |
|
Date: |
Sun, 29 Aug 2021 21:15:13 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Clément Pit-Claudel <cpitclaudel@gmail.com> writes:
> The scary part is not so much altering a package (or a few packages)
> with bad code (though that is scary), but having the ability to alter
> all of them (sure, you could push to all package branches, but that's
> more easily detected that altering one readme).
Yes, we should be very careful about that, and I'm glad people like you
and Stefan are keeping it in mind. :) In fact...
>> Also, AFAIU, ELPA already runs Makefiles for packages as part of the
>> build process, and those can run arbitrary code, which I guess could do
>> things like modify other packages, modify the build process or scripts,
>> or anything else that the user account the build process runs as could
>> do on the server.
>
> Good catch, and indeed given this running org doesn't make things
> worse. Thanks.
As Stefan mentioned, it appears that he's is way ahead of both of us, as
he's already implemented some sandboxing in the build process. :)