emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in the emacs package ecosystem

From: Stefan Kangas
Subject: Re: Security in the emacs package ecosystem
Date: Sat, 4 Feb 2023 08:59:54 -0800 
Ihor Radchenko <yantar92@posteo.net> writes:

> To followup, how are the plans (stated in the referenced discussion)
> about signing ELPA packages?
>
> AFAIK, ELPA currently re-builds package tarballs every time a new tag
> appears in the source repo. No signature checks, nothing to prevent
> potential breach in the source repo.

I think we should add some flag to the build system saying that a
package should only be released if the new tag has a valid signature.
This would have to be optional for now.  (It is of course already best
practice to always sign your tags regardless.)

IMO, opening a feature request for this in the bug tracker would be
useful.  A patch would be even better.

> And ELPA tarballs themselves are not signed. Same for non-GNU ELPA,
> AFAIK.

GNU ELPA and NonGNU ELPA does sign packages, see for example:

    https://elpa.gnu.org/packages/company-0.9.13.tar
    https://elpa.gnu.org/packages/company-0.9.13.tar.sig

For some reason, the signature file is not linked from the web
interface.  I think we should add such a link.

If I'm not mistaken, MELPA unfortunately does not sign packages.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]