[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61277: FR: ELPA security - Restrict package builds to signed git com
|
From: |
Daniel Mendler |
|
Subject: |
bug#61277: FR: ELPA security - Restrict package builds to signed git commits |
|
Date: |
Sat, 04 Feb 2023 19:19:06 +0100 |
As discussed on emacs-devel it would be good if ELPA security could be
improved, preventing potential breaches on the side of the source
repository. This feature becomes more relevant the more packages are
:auto-sync'ed from their source repository.
My git commits are usually signed, so one could check the signature of
each commit which leads to a package build. This feature could be opt-in
for now, enabled via an attribute :signature in the elpa-packages
configuration. Maybe elpa-packages could store the fingerprint(s) of the
expected GPG key(s)?
In the case of a breach, both the SSH and GPG keys may be stolen, which
would allow an attacker to create commits on hosted repositories, such
that the mechanism would not help. However the source repository may
also get compromised via other vectors.
https://lists.gnu.org/archive/html/emacs-devel/2023-02/msg00120.html