[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security in the emacs package ecosystem
|
From: |
Ihor Radchenko |
|
Subject: |
Re: Security in the emacs package ecosystem |
|
Date: |
Sat, 04 Feb 2023 13:12:09 +0000 |
Husain Alshehhi <husain@alshehhi.io> writes:
> This issue is not new and seems to have been discussed before:
>
> <https://emacs-devel.gnu.narkive.com/atiq1AoP/security-of-the-emacs-package-system-elpa-melpa-and-marmalade>
>
> I was wondering if things have changed since then.
To followup, how are the plans (stated in the referenced discussion)
about signing ELPA packages?
AFAIK, ELPA currently re-builds package tarballs every time a new tag
appears in the source repo. No signature checks, nothing to prevent
potential breach in the source repo.
And ELPA tarballs themselves are not signed. Same for non-GNU ELPA,
AFAIK.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
- Re: Security in the emacs package ecosystem,
Ihor Radchenko <=
- Re: Security in the emacs package ecosystem, Stefan Kangas, 2023/02/04
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Stefan Kangas, 2023/02/17
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/18
- Re: Security in the emacs package ecosystem, Eli Zaretskii, 2023/02/18
- Re: Security in the emacs package ecosystem, Richard Stallman, 2023/02/20
- Re: Security in the emacs package ecosystem, Po Lu, 2023/02/20
- Re: Security in the emacs package ecosystem, chad, 2023/02/20
- Making `package-check-signature' more restrictive by default, Stefan Kangas, 2023/02/18