[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61277: FR: ELPA security - Restrict package builds to signed git com
From: |
Richard Stallman |
Subject: |
bug#61277: FR: ELPA security - Restrict package builds to signed git commits |
Date: |
Sat, 25 Feb 2023 21:59:45 -0500 |
Please forgive my delay in replying.
> If an attacker can introduce a commit containing malicious code, and
> create a new git tag pointing to that commit, the GNU ELPA scripts will
> fetch it, and release a new version of the package (now including the
> malicious code). By requiring tags to be cryptographically signed, we
> can have a greater confidence that any new tag has at the very least
> been signed off by the developer him/herself.
This seems wise to me. Does anyone have arguments against?
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, (continued)
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Eli Zaretskii, 2023/02/07
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/12
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/15
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/15
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Monnier, 2023/02/15
bug#61277: FR: ELPA security - Restrict package builds to signed git commits,
Richard Stallman <=