[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GNU ELPA security and Org-mode
From: |
Stefan Monnier |
Subject: |
GNU ELPA security and Org-mode |
Date: |
Thu, 06 Apr 2017 11:04:29 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) |
I just realized that the GPG-signing we're doing in GNU ELPA is
weaker for the org-mode packages than for all other:
All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from
http://orgmode.org/elpa.
So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).
Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git. This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,
tho).
Stefan
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- GNU ELPA security and Org-mode,
Stefan Monnier <=