[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61277: FR: ELPA security - Restrict package builds to signed git com
|
From: |
Daniel Mendler |
|
Subject: |
bug#61277: FR: ELPA security - Restrict package builds to signed git commits |
|
Date: |
Sun, 12 Feb 2023 11:32:36 +0100 |
On 2/12/23 07:37, Stefan Kangas wrote:
>> Breach of precisely what? To think about this issue
>> requires an answer to that question.
>
> The idea is that the likelihood of both an SSH and a PGP key getting
> stolen at the same time is lower than either one of them getting stolen
> separately.
There could also be a breach on the server where the git repository is
hosted. The repository could be manipulated directly on the server. It
is not that likely but if such incidents happen they have a huge
fallout. I also expect that more and more people move their
:auto-sync'ed git repositories to private servers or smaller forges,
which may not be as protected as the most popular ones.
Daniel
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Daniel Mendler, 2023/02/04
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Eli Zaretskii, 2023/02/07
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/12
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Monnier, 2023/02/15
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/25