Re: Security in the emacs package ecosystem

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security in the emacs package ecosystem

From:	Thomas Koch
Subject:	Re: Security in the emacs package ecosystem
Date:	Sat, 11 Mar 2023 21:45:52 +0200 (EET)

I believe, the question of the original poster has not been addressed. It was 
about Emacs packages, not about Emacs itself.

The Emacs manual only mentions, that package archives can be signed and that 
"Package archives should provide instructions on how you can obtain their 
public key." (emacs, 48.3 Package Installation)

There are no such instructions on https://elpa.gnu.org nor is there any 
information on security.

(Somewhat rude question: Is Gnu Emacs trusting the security of its users to 
Microsofts GitHub?)

Related:

- 
https://www.reddit.com/r/emacs/comments/63e8hu/are_emacs_package_repositories_a_security_risk/
- 2013 thread: "security of the emacs package system, elpa, melpa and marmalade"
  https://lists.gnu.org/archive/html/emacs-devel/2013-09/msg00450.html
- https://theupdateframework.io should be helpful for anybody working on 
software update systems

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Security in the emacs package ecosystem, Thomas Koch <=
- Re: Security in the emacs package ecosystem, Richard Stallman, 2023/03/14

Prev by Date: Re: Make all tree-sitter modes optional
Next by Date: Re: New Eglot release
Previous by thread: Re: Make all tree-sitter modes optional
Next by thread: Re: Security in the emacs package ecosystem
Index(es):
- Date
- Thread