[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MELPA issues - Re: Proposal for an Emacs User Survey
From: |
Marcel Ventosa |
Subject: |
Re: MELPA issues - Re: Proposal for an Emacs User Survey |
Date: |
Sat, 17 Oct 2020 09:59:18 +0700 |
Thank you for your explanation Jean Louis.
On Fri, 16 Oct 2020 19:33:45 +0300
Jean Louis <bugs@gnu.support> wrote:
> * Marcel Ventosa <mve1@runbox.com> [2020-10-16 09:03]:
> > On Thu, 15 Oct 2020 23:59:07 -0400
> > Richard Stallman <rms@gnu.org> wrote:
> >
> > > I hope that only a minority of Emacs users know about MELPA, and
> > > I'd rather not inform the rest about it. But if something is
> > > going to inform them anyway, it is better to do it with a
> > > denunciation.
> >
> >
> > I've been using Emacs (and MELPA) for the best part of a decade and
> > knew nothing about this! I'm concerned to use only free software and
> > actively avoid proprietary software, so this is a bit of a shock.
> >
> > Is there anywhere I can read more about this issue?
>
> I have not checked all the software on MELPA, but due to Github
> policies that free (of charge)repositories should have only free (as
> in liberty)software licenses, I am assuming that probably none of
> those software is non-free. But there can be MELPA software that is
> vague because maybe maintainers have not put the proper license, which
> is often the case.
>
> The software provided by MELPA may lead users to non-free software or
> may control non-free software or be made exclusively for usage of free
> software.
>
> Example that I have found is ChatWork package, it works with ChatWork
> chat software, for which I only assume it is proprietary, I have not
> checked it very good, it seemed to be so from verification of their
> website.
>
> Corporations can very easily sponsor somebody to provide software for
> Emacs to provide features that control or interact with their
> proprietary software.
>
> It is also method of advertising.
>
> Then there is software to access various websites, let us say software
> that provides quotes from specific website, it could be funny quote or
> smart one, but maybe the purpose is simply advertising. Finally,
> fetching something from other website I consider dangerous, package
> itself need not be, but other packages following, could be easily
> dangerous.
>
> More danger from MELPA comes from the fact that MELPA is not verifying
> the packages, not that I know, I have read they said they are not
> doing it.
>
> There is plethora of insecurities on MELPA. It is far from harmless.
>
> So far I understood, the packages arriving to GNU ELPA are assigned
> with copyright to FSF, I am also assuming as user that such packages
> are somehow reviewed by developers, not just one developer, and that
> they are placed into ELPA as duplicate or copy from the upstream. I
> may be wrong in all that assumption, but I think that GNU ELPA
> packages are verified for freedom and mostly for security and safety
> of users. We are speaking of loading true programming language code
> and executing such on users' computers.
>
> It is not equivalent to Javascript, it is far more dangerous than
> Javascript which tend to execute in safe environment, which tends to
> execute in such way as not to abuse users' computers and data, yet
> people have found ways to crack browsers and to crack and enter into
> users' file systems, there are many ways how Javascript can be
> malicious.
>
> The more packages there are that are not verified, but simple offered
> for download through MELPA, the more and more insecurities are coming
> in future.
>
> MELPA is allowing Google to track users by using Google Analytics on
> their website, that speaks already about the webmaster's lack of
> skills in managing the website. There are so many free software
> programs for web statistics, and there is no need for third party
> tracking.
>
> Now, the real insecurity comes from program that are sourced from
> Github. If there are 4000+ packages, there can be 1000+ authors, maybe
> even 2000+ authors.
>
> Each of those authors represent insecurity to computing, as their
> packages are not verified each time they are pulled, they are blindly
> trusted.
>
> The blind trust to MELPA packages is what is making it highly insecure
> for computer users.
>
> It requires just 1 author for their accounts to be cracked and for
> malicious code to be inserted, thousands of computer users can be
> affected that way.
>
> Finally, author can go nut himself, and can become psychotic, there
> are programmers who became so, they can introduce malicious code
> themselves, or can do it by claiming it was somebody else.
>
> Packages that I think do not belong in free software repository for
> reason they are using proprietary information or wrapping proprietary
> software, or use known spying networks:
>
> babel - that uses non-free Babelfish translations (if I am mistaken
> tell me)
>
> chatwork - that uses non-free ChatWork proprietary chat software
>
> bing-dict - that uses Microsoft Bing proprietary dictionary
>
> calfw-gcal - to edit Google calendar
>
> Obviously I came to letter C, I could browse more and find more
> troublesome packages.
>
> Yet major insecurity is number of packages where they are not verified
> by human to be safe and blind offering and blind acceptance by users
> thinking they are safe.
>
> Jean
>
>
>
>
- Re: Proposal for an Emacs User Survey, (continued)
- Re: Proposal for an Emacs User Survey, Vasilij Schneidermann, 2020/10/16
- Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18
- MELPA issues - Re: Proposal for an Emacs User Survey, Jean Louis, 2020/10/16
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, Dmitry Gutov, 2020/10/16
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, Qiantan Hong, 2020/10/16
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, Dmitry Gutov, 2020/10/16
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/17
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, chad, 2020/10/17
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, Qiantan Hong, 2020/10/17
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, Thibaut Verron, 2020/10/17
- Re: MELPA issues - Re: Proposal for an Emacs User Survey,
Marcel Ventosa <=
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18
- Re: MELPA issues - Re: Proposal for an Emacs User Survey, Jean Louis, 2020/10/18
- Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18
- Re: Proposal for an Emacs User Survey, Marcel Ventosa, 2020/10/18
- Re: Proposal for an Emacs User Survey, Dmitry Gutov, 2020/10/18
- Re: Proposal for an Emacs User Survey, Jean Louis, 2020/10/18
- Re: Proposal for an Emacs User Survey, Thibaut Verron, 2020/10/18
- Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18
- Re: Proposal for an Emacs User Survey, Philip K., 2020/10/18
- Re: Proposal for an Emacs User Survey, Richard Stallman, 2020/10/18