[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61277: FR: ELPA security - Restrict package builds to signed git com
From: |
Stefan Kangas |
Subject: |
bug#61277: FR: ELPA security - Restrict package builds to signed git commits |
Date: |
Wed, 15 Feb 2023 05:37:36 -0800 |
Richard Stallman <rms@gnu.org> writes:
> You're discussing the "how" of a possible breach,
> but what I really need to know is the "what".
> What is being breached? What is the context here?
The "what" is the git repository of a GNU ELPA or NonGNU ELPA package.
If an attacker can introduce a commit containing malicious code, and
create a new git tag pointing to that commit, the GNU ELPA scripts will
fetch it, and release a new version of the package (now including the
malicious code). By requiring tags to be cryptographically signed, we
can have a greater confidence that any new tag has at the very least
been signed off by the developer him/herself.
- bug#61277: FR: ELPA security - Restrict package builds to signed git commits, (continued)
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Eli Zaretskii, 2023/02/07
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Kangas, 2023/02/12
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/15
bug#61277: FR: ELPA security - Restrict package builds to signed git commits,
Stefan Kangas <=
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Stefan Monnier, 2023/02/15
bug#61277: FR: ELPA security - Restrict package builds to signed git commits, Richard Stallman, 2023/02/25