[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#32544: [ELPA] core packages need generated files
From: |
Stefan Monnier |
Subject: |
bug#32544: [ELPA] core packages need generated files |
Date: |
Mon, 27 Aug 2018 20:15:28 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
> Is the concern privilege escalation in build recipes in malicious elpa
> packages?
Yes.
> But couldn't the same package run the same bad code at package install
> time on the end user's machine, today and for as long as elpa.gnu.org
> has existed?
Yes. Tho not only "at package install time", since that same bad code
can be run any time later when the package is activated or loaded...
> Ie, if we assume malicious code can get into elpa packages with no-one
> noticing, the whole system is already broken anyway?
Yup.
> But if you want to make the elpa system more secure one piece at a time,
> that's obviously no bad thing.
I think the reasons why I'm more worried about elpa.gnu.org than the
end-user's machines include:
- very little time between the moment we receive the commit-diffs by
email and the moment the code is run. So even if we notice the
offending code on the spot, there's not much time to react.
- elpa.gnu.org is part of infrastructure that Emacs users trust when
downloading GNU ELPA packages (e.g. it holds the PGP signing key), so
a breach could affect all GNU ELPA users (especially if not
noticed).
Stefan