bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#32544: [ELPA] core packages need generated files

From: Stefan Monnier
Subject: bug#32544: [ELPA] core packages need generated files
Date: Mon, 27 Aug 2018 20:15:28 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) 
> Is the concern privilege escalation in build recipes in malicious elpa
> packages?

Yes.

> But couldn't the same package run the same bad code at package install
> time on the end user's machine, today and for as long as elpa.gnu.org
> has existed?

Yes.  Tho not only "at package install time", since that same bad code
can be run any time later when the package is activated or loaded...

> Ie, if we assume malicious code can get into elpa packages with no-one
> noticing, the whole system is already broken anyway?

Yup.

> But if you want to make the elpa system more secure one piece at a time,
> that's obviously no bad thing.

I think the reasons why I'm more worried about elpa.gnu.org than the
end-user's machines include:

- very little time between the moment we receive the commit-diffs by
  email and the moment the code is run.  So even if we notice the
  offending code on the spot, there's not much time to react.
- elpa.gnu.org is part of infrastructure that Emacs users trust when
  downloading GNU ELPA packages (e.g. it holds the PGP signing key), so
  a breach could affect all GNU ELPA users (especially if not
  noticed).


        Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]