[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Where should security issues with GNU ELPA packages be reported?
|
From: |
Philip Kaludercic |
|
Subject: |
Re: Where should security issues with GNU ELPA packages be reported? |
|
Date: |
Thu, 28 Mar 2024 16:07:44 +0000 |
Morgan Willcock <morgan@ice9.digital> writes:
> I think I have found a security issue with a package which is
> distributed on GNU ELPA, and I am unsure who to notify.
>
> Given that the package is technically part of Emacs, do I follow
> whatever the procedure would be for disclosing security problems with
> Emacs? If so, what is that procedure?
>
> Or should I e-mail the package author first?
>
> Given that it is not the package author who is distributing the package,
> I am unsure what to do.
It would probably be better to message the maintainer first, if there is
no explicit maintainer you can check elpa.git to infer who is
responsible. Can you disclose what package you are concerned about?
--
Philip Kaludercic on peregrine