[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii
|
From: |
Clément Pit-Claudel |
|
Subject: |
Re: [ELPA/elpa-admin] Render README.org as ASCII with ox-ascii |
|
Date: |
Sun, 29 Aug 2021 21:49:36 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
On 8/29/21 8:01 PM, Adam Porter wrote:
> I would guess that those who have commit access to ELPA are considered
> trusted, and regardless of potentially using Org Export while building
> packages, those committers could already add malicious code that could
> end up being distributed to users until someone noticed and reverted the
> changes.
The scary part is not so much altering a package (or a few packages) with bad
code (though that is scary), but having the ability to alter all of them (sure,
you could push to all package branches, but that's more easily detected that
altering one readme).
> Also, AFAIU, ELPA already runs Makefiles for packages as part of the
> build process, and those can run arbitrary code, which I guess could do
> things like modify other packages, modify the build process or scripts,
> or anything else that the user account the build process runs as could
> do on the server.
Good catch, and indeed given this running org doesn't make things worse.
Thanks.