Re: security-patches package

[Ted Zlatanov]

On Thu, 21 Sep 2017 21:01:56 +0100 address@hidden (Phillip Lord) wrote: 

PL> Ted Zlatanov <address@hidden> writes:
>> * how do we prevent accidental or malicious commits to this package?
>> Could it maybe live in a special "GNU ELPA security updates" archive
>> separate from elpa.git?

PL> I think this is not important. It wouldn't have any special privilege;
PL> i.e. the malicious user could do the same nasty things in any package.
PL> Accidental commits could just be controlled by constraining the
PL> *release* -- that is commits would be normal, but they wouldn't go live.

The proposition is to check these packages more frequently and for the
user to trust them more than any other packages, so I think there is
some value to that. But I'm OK with just using the GNU ELPA as long as
the packages are tagged in a special way.

>> * Can we do push notifications somehow or are we limited to polling?

PL> Polling. Worse polling at the users request, because ELPA doesn't also
PL> update.

PL> Changing ELPA to auto-update the archive would be a good thing to do, I
PL> think.

On Thu, 21 Sep 2017 23:12:47 -0400 Stefan Monnier <address@hidden> wrote: 

SM> I'm firmly opposed to making any program initiate network connections
SM> without explicit user request.

I understand the concern.

Let's say the user can turn auto checking on, but normally it will just
be a prominent menu item or button they can click to check for an update?

Ted