Re: MELPA issues - Re: Proposal for an Emacs User Survey

[Marcel Ventosa]

Thank you for your explanation Jean Louis.

On Fri, 16 Oct 2020 19:33:45 +0300
Jean Louis <bugs@gnu.support> wrote:

> * Marcel Ventosa <mve1@runbox.com> [2020-10-16 09:03]:
> > On Thu, 15 Oct 2020 23:59:07 -0400
> > Richard Stallman <rms@gnu.org> wrote:
> >   
> > > I hope that only a minority of Emacs users know about MELPA, and
> > > I'd rather not inform the rest about it.  But if something is
> > > going to inform them anyway, it is better to do it with a
> > > denunciation.  
> > 
> > 
> > I've been using Emacs (and MELPA) for the best part of a decade and
> > knew nothing about this! I'm concerned to use only free software and
> > actively avoid proprietary software, so this is a bit of a shock.
> > 
> > Is there anywhere I can read more about this issue?  
> 
> I have not checked all the software on MELPA, but due to Github
> policies that free (of charge)repositories should have only free (as
> in liberty)software licenses, I am assuming that probably none of
> those software is non-free. But there can be MELPA software that is
> vague because maybe maintainers have not put the proper license, which
> is often the case.
> 
> The software provided by MELPA may lead users to non-free software or
> may control non-free software or be made exclusively for usage of free
> software.
> 
> Example that I have found is ChatWork package, it works with ChatWork
> chat software, for which I only assume it is proprietary, I have not
> checked it very good, it seemed to be so from verification of their
> website.
> 
> Corporations can very easily sponsor somebody to provide software for
> Emacs to provide features that control or interact with their
> proprietary software.
> 
> It is also method of advertising.
> 
> Then there is software to access various websites, let us say software
> that provides quotes from specific website, it could be funny quote or
> smart one, but maybe the purpose is simply advertising. Finally,
> fetching something from other website I consider dangerous, package
> itself need not be, but other packages following, could be easily
> dangerous.
> 
> More danger from MELPA comes from the fact that MELPA is not verifying
> the packages, not that I know, I have read they said they are not
> doing it.
> 
> There is plethora of insecurities on MELPA. It is far from harmless.
> 
> So far I understood, the packages arriving to GNU ELPA are assigned
> with copyright to FSF, I am also assuming as user that such packages
> are somehow reviewed by developers, not just one developer, and that
> they are placed into ELPA as duplicate or copy from the upstream. I
> may be wrong in all that assumption, but I think that GNU ELPA
> packages are verified for freedom and mostly for security and safety
> of users. We are speaking of loading true programming language code
> and executing such on users' computers.
> 
> It is not equivalent to Javascript, it is far more dangerous than
> Javascript which tend to execute in safe environment, which tends to
> execute in such way as not to abuse users' computers and data, yet
> people have found ways to crack browsers and to crack and enter into
> users' file systems, there are many ways how Javascript can be
> malicious.
> 
> The more packages there are that are not verified, but simple offered
> for download through MELPA, the more and more insecurities are coming
> in future.
> 
> MELPA is allowing Google to track users by using Google Analytics on
> their website, that speaks already about the webmaster's lack of
> skills in managing the website. There are so many free software
> programs for web statistics, and there is no need for third party
> tracking.
> 
> Now, the real insecurity comes from program that are sourced from
> Github. If there are 4000+ packages, there can be 1000+ authors, maybe
> even 2000+ authors.
> 
> Each of those authors represent insecurity to computing, as their
> packages are not verified each time they are pulled, they are blindly
> trusted.
> 
> The blind trust to MELPA packages is what is making it highly insecure
> for computer users.
> 
> It requires just 1 author for their accounts to be cracked and for
> malicious code to be inserted, thousands of computer users can be
> affected that way.
> 
> Finally, author can go nut himself, and can become psychotic, there
> are programmers who became so, they can introduce malicious code
> themselves, or can do it by claiming it was somebody else.
> 
> Packages that I think do not belong in free software repository for
> reason they are using proprietary information or wrapping proprietary
> software, or use known spying networks:
> 
> babel - that uses non-free Babelfish translations (if I am mistaken
> tell me)
> 
> chatwork - that uses non-free ChatWork proprietary chat software
> 
> bing-dict - that uses Microsoft Bing proprietary dictionary
> 
> calfw-gcal - to edit Google calendar
> 
> Obviously I came to letter C, I could browse more and find more
> troublesome packages.
> 
> Yet major insecurity is number of packages where they are not verified
> by human to be safe and blind offering and blind acceptance by users
> thinking they are safe.
> 
> Jean
> 
> 
> 
>