emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal for an Emacs User Survey


From: Jean Louis
Subject: Re: Proposal for an Emacs User Survey
Date: Fri, 16 Oct 2020 20:04:12 +0300
User-agent: Mutt/1.14.0 (2020-05-02)

* Thibaut Verron <thibaut.verron@gmail.com> [2020-10-16 09:53]:
> Le ven. 16 oct. 2020 à 08:03, Marcel Ventosa <mve1@runbox.com> a écrit :
> >
> > On Thu, 15 Oct 2020 23:59:07 -0400
> > Richard Stallman <rms@gnu.org> wrote:
> >
> > > I hope that only a minority of Emacs users know about MELPA, and I'd
> > > rather not inform the rest about it.  But if something is going to
> > > inform them anyway, it is better to do it with a denunciation.
> >
> >
> > I've been using Emacs (and MELPA) for the best part of a decade and
> > knew nothing about this! I'm concerned to use only free software and
> > actively avoid proprietary software, so this is a bit of a shock.
> 
> As I understand it, Melpa packages cannot *be* or *install* non-free
> software. But some will not work without such software, which can in
> theory encourage users to install it.

MELPA as such is definitely free software project with few freedom
issues with some pakages and lax attitude on usage of proprietary
information through Emacs. For example, I like that when I find
definition in a dictionary, that I can freely include it in the
instruction book, and not that I am chased with licenses not allowing
me to include such information.

MELPA does have a checklist for packages:

Checklist

Please confirm with x:

    The package is released under a GPL-Compatible Free Software License.
    [x ] I've read CONTRIBUTING.org
    [ x] I've used the latest version of package-lint to check for packaging 
issues, and addressed its feedback
    [ x] My elisp byte-compiles cleanly
    [ x] M-x checkdoc is happy with my docstrings
    [ x] I've built and installed the package using the instructions in 
CONTRIBUTING.org
    I have confirmed some of these without doing them

Example:
https://github.com/melpa/melpa/pull/6387

People and MELPA maintainer are verifying packages, but they do not
possibly verify it each time. So it is prone to security issues at any
time. Once package is accepted, they are not automatically verifying
the package, so far I understand, packages are built in real time and
offered to users in real time.

Any account can be cracked and malicious code introduced at any
time.

Github is in general unsafe place for development as it is held by
major company providing proprietary software, one never knows what are
they up to.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]