[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security in the emacs package ecosystem
|
From: |
Stefan Kangas |
|
Subject: |
Re: Security in the emacs package ecosystem |
|
Date: |
Fri, 17 Feb 2023 07:54:02 -0800 |
Ihor Radchenko <yantar92@posteo.net> writes:
> WRT MELPA we can do the following:
> 1. Open an issue
I had a look, and turns out that there is one already:
https://github.com/melpa/melpa/issues/1749
> 2. Allow users to demand package.el to verify signatures when
> downloading packages. Interested users can then increase their
> security by rejecting packages without .sig file.
Maybe I'm missing something, but isn't that `package-check-signature'?
Its current default is `allow-unsigned', however, which is about as
useful for security purposes as if it was nil. I think we should
consider changing it to t in Emacs 30.
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/04
- Re: Security in the emacs package ecosystem, Stefan Kangas, 2023/02/04
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/17
- Re: Security in the emacs package ecosystem,
Stefan Kangas <=
- Re: Security in the emacs package ecosystem, Ihor Radchenko, 2023/02/18
- Re: Security in the emacs package ecosystem, Eli Zaretskii, 2023/02/18
- Re: Security in the emacs package ecosystem, Richard Stallman, 2023/02/20
- Re: Security in the emacs package ecosystem, Po Lu, 2023/02/20
- Re: Security in the emacs package ecosystem, chad, 2023/02/20
- Making `package-check-signature' more restrictive by default, Stefan Kangas, 2023/02/18