[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: One vs many directories
|
From: |
Tim Cross |
|
Subject: |
Re: One vs many directories |
|
Date: |
Wed, 25 Nov 2020 18:00:41 +1100 |
|
User-agent: |
mu4e 1.5.7; emacs 27.1.50 |
Jean Louis <bugs@gnu.support> writes:
> * Tim Cross <theophilusx@gmail.com> [2020-11-24 23:40]:
>> If people are really concerned about security, they should look first at
>> their use of repositories like MELPA. There is no formal review or
>> analysis of packages in these repositories, yet people will happily
>> select some package and install it.
>
> Interesting that you are one who mentions that. There are just few
> people ever mentioned it.
>
> I am still in process of the review of MELPA packages and its
> system. There are many security issues.
>
> Package signing is one example. It does not offer much of security
> when packages are signed automatically, but it raises level of
> security.
>
> MELPA packages and archive-contents are not PGP signed, while GNU ELPA
> packages are signed.
>
IMO signing of packages is irrelevant when there is no formal review
process or even any formal process to verify the credentials of
signatures. In fact, just adding signing would likely be
coutner-productive as it would give the impression of some sort of
security where there is none.
Basically, anyone can upload anything to MELPA. The only way anyone
would find out that an uploaded package has malicious code is if someone
does a code review and spots the malicious payload. Even once they find
that, there is little chance of being able to attribute the actions to
any individual because no real identity vetting is conducted. MELPA is
the wild west.
The new non-GNU repository has bene setup precisely due to both the
licensing issue and the fact many MELPA packages recommend/encourage the
use of non-free software/services. While non-GNU will improve this
situation, I don't believe there are any plans to actively review the
code in the packages. So, like MELPA, all you really have to go on is
package reputation. You cannot have any high level of confidence a
package does not contain malicious code other than an expectation that
if it is used by a sufficiently large enough number of users, it is
unlikely.
this is not an issue unique to Emacs. You only have to look at the
issues both Google's play store and Apples app store have had in the
past to see what the risks are. Both Google and Apple have put large
amounts of resources into trying to ensure their repository content is
safe and yet they still have failures. Something like GNU Emacs has
nowhere near the same resources, so is unlikely to come even close to
the same level of security.
- Re: One vs many directories, (continued)
- Re: One vs many directories, Diego Zamboni, 2020/11/24
- Re: One vs many directories, Jean Louis, 2020/11/24
- Re: One vs many directories, Jean Louis, 2020/11/24
- Re: One vs many directories, Dr. Arne Babenhauserheide, 2020/11/24
- Re: One vs many directories, Tom Gillespie, 2020/11/24
- Re: One vs many directories, Tim Cross, 2020/11/24
- Re: One vs many directories, Jean Louis, 2020/11/24
- Re: One vs many directories, Tim Cross, 2020/11/25
- Local variables issue - Re: One vs many directories, Jean Louis, 2020/11/25
- Re: One vs many directories, Jean Louis, 2020/11/25
- Re: One vs many directories,
Tim Cross <=
- Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages, tomas, 2020/11/25
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages, tomas, 2020/11/25
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/25
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/25
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/26
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/26
- Re: Security issues in Emacs packages, Greg Minshall, 2020/11/26