[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Where should security issues with GNU ELPA packages be reported?
|
From: |
Morgan Willcock |
|
Subject: |
Re: Where should security issues with GNU ELPA packages be reported? |
|
Date: |
Thu, 28 Mar 2024 17:14:24 +0000 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Philip Kaludercic <philipk@posteo.net> writes:
> Morgan Willcock <morgan@ice9.digital> writes:
>
>> I think I have found a security issue with a package which is
>> distributed on GNU ELPA, and I am unsure who to notify.
>>
>> Given that the package is technically part of Emacs, do I follow
>> whatever the procedure would be for disclosing security problems with
>> Emacs? If so, what is that procedure?
>>
>> Or should I e-mail the package author first?
>>
>> Given that it is not the package author who is distributing the package,
>> I am unsure what to do.
>
> It would probably be better to message the maintainer first, if there is
> no explicit maintainer you can check elpa.git to infer who is
> responsible.
There is an e-mail address for the maintainer, I just wasn't sure
whether going to them first was the correct thing to do.
> Can you disclose what package you are concerned about?
I was not planning on naming it until after I had spoken privately to
whoever the appropriate person is. The problem concerns an encryption
failure which potentially exposes private security keys.
--
Morgan Willcock