Re: security-patches package

[Ted Zlatanov]

On Fri, 15 Sep 2017 08:32:16 -0400 Stefan Monnier <address@hidden> wrote: 

SM> having a "security-patches" package might make sense.
>> I would love to see that as well, especially if it was well tested in a
>> CI system against various versions of Emacs.
>> What needs to happen so the experience is seamless?

SM> Step one is to create this package in elpa.git, putting the fix for the
SM> enriched.el bug.

A package is pretty easy but I have a few questions before putting that
out:

* how do we prevent accidental or malicious commits to this package?
  Could it maybe live in a special "GNU ELPA security updates" archive
  separate from elpa.git?

* should it be signed+released in a special way? How do we test it?

* what version of Emacs will begin to check for this package?

* Can we do push notifications somehow or are we limited to polling?

* should there be a special mailing list for internal discussions?

* how do we make the experience seamless (on startup, during a
  long-running session, unattended, for a whole site)?

In a related vein, I mentioned a while ago that it would be really nice
to see the changes (from what's installed) to all the code in a package
before upgrading it. I think for security updates that would be
especially useful.

Thanks
Ted