[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security issues in Emacs packages
|
From: |
Tim Cross |
|
Subject: |
Re: Security issues in Emacs packages |
|
Date: |
Thu, 26 Nov 2020 10:39:57 +1100 |
|
User-agent: |
mu4e 1.5.7; emacs 27.1.50 |
Jean Louis <bugs@gnu.support> writes:
>>
>> this is wrong. In melpa you specify either a commit (SHA) or a branch or
>> both. The repository owner has control over this. MELPA doesn't just
>> pull data from the repository because there has bene an update. You can
>> configure things so that whenever data is committed to a release branch,
>> it is pulled, but this is under the control of the repository owner. It
>> isn't that different to ELPA where the maintainer will either push new
>> data to the ELPA repository (or ask someone with write permission to
>> pull it from their repository).
>
> OK it is great that it is so. Are you maybe author doing it? Is there
> any reference that authors are doing so? I have MELPA downloaded you
> could tell me how do I see that author is deciding if package is for
> release?
>
You can clone the melpa repository and see the recipes for each package.
It depends on how the author specifies their MELPA recipe. They can
define their recipe based on a specific commit (SHA). If they do this,
it doesn't matter how often or when MELPA pulls from the repository as
they will always get the same commit.
They can also specify a branch rather than a commit SHA. In this case,
MELPA will retrieve updates from that branch, so when that branch is
updated, it will pull new data. In this case, it is up to the developer
to manage their 'release' branch appropriately. when they are ready for
a new release, they push their updates to the release branch and update
the version tag. This is pretty much the same as ELPA works for external
packages (those which don't manage their code within the GNU ELPA repository
itself)
>
> So is there automatic pulling?
>
> I compare automatic pulling and building to author's decision on when
> a package would be issued.
>
Your model is flawed. You can have both automatic pulling AND author
control over when a new package is issued.
If author defines their MELPA recipe to use a SHA a new package will not
be issued until they update their recipe with a new SHA.
If author defines their MELPA recipe to pull from a release branch, a
new package will not be issued until they update the release branch and
version tag.
MELPA does not automatically generate a new package just because
something has changed within the git repository. It has to be a change
to a specified branch and update to the version tag or it has to be a
change in the recipe with an update to the commit SHA.
--
Tim Cross
- Re: One vs many directories, (continued)
- Re: One vs many directories, Jean Louis, 2020/11/25
- Re: One vs many directories, Tim Cross, 2020/11/25
- Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages, tomas, 2020/11/25
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages, tomas, 2020/11/25
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/25
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages,
Tim Cross <=
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/26
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/26
- Re: Security issues in Emacs packages, Greg Minshall, 2020/11/26
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/26
- Re: Security issues in Emacs packages, Greg Minshall, 2020/11/26
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/26
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/26
- Re: Security issues in Emacs packages, Greg Minshall, 2020/11/26
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/26
- Re: One vs many directories, Jean Louis, 2020/11/24