[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security issues in Emacs packages
From: |
Jean Louis |
Subject: |
Re: Security issues in Emacs packages |
Date: |
Thu, 26 Nov 2020 08:24:52 +0300 |
User-agent: |
Mutt/2.0 (3d08634) (2020-11-07) |
* Tim Cross <theophilusx@gmail.com> [2020-11-26 02:40]:
> > OK it is great that it is so. Are you maybe author doing it? Is there
> > any reference that authors are doing so? I have MELPA downloaded you
> > could tell me how do I see that author is deciding if package is for
> > release?
> >
>
> You can clone the melpa repository and see the recipes for each
> package.
I did before some time.
> It depends on how the author specifies their MELPA recipe. They can
> define their recipe based on a specific commit (SHA). If they do this,
> it doesn't matter how often or when MELPA pulls from the repository as
> they will always get the same commit.
I have not seen that, and I have assumed you would know better and
wanted to see how authors are reporting that package is ready for
release and I do not see that.
Recipes are like this:
(0blayout :repo "etu/0blayout-mode" :fetcher github)
(0x0 :url "https://git.sr.ht/~zge/nullpointer-emacs" :fetcher git)
(0xc :fetcher github :repo "AdamNiederer/0xc")
So that recipe alone does not tell me that author reports that new
package is ready, it is fetched from git, but there are parts of code
that I did not see that is why I am assuming you know it better.
> Your model is flawed. You can have both automatic pulling AND author
> control over when a new package is issued.
To make it practical tell me where is that author's control?
I have quick view of files and any recipe files in directory
melpa/recipes do not give me any pointers, it is all automated and
fetched from git.
> If author defines their MELPA recipe to use a SHA a new package will not
> be issued until they update their recipe with a new SHA.
You seem to be very confident and for this reason I assume you know it
better, but due to contradictions please show one practical recipe or
package where author has control on when is package ready to be
released.
$ grep sha *
on recipes does not give any reference.
$ grep commit *
eval-in-repl: :commit "origin/master")
git-auto-commit-mode:(git-auto-commit-mode :fetcher github :repo
"ryuslash/git-auto-commit-mode")
git-commit:(git-commit :fetcher github
git-commit: :files ("lisp/git-commit.el")
git-commit: :old-names (git-commit-mode))
git-commit-insert-issue:(git-commit-insert-issue :fetcher gitlab :repo
"emacs-stuff/git-commit-insert-issue")
vc-auto-commit:(vc-auto-commit :fetcher github :repo "thisirs/vc-auto-commit")
what-the-commit:(what-the-commit :fetcher github
what-the-commit: :repo "danielbarbarito/what-the-commit.el")
So there is nothing I can find that points or references to what you
say.
> If author defines their MELPA recipe to pull from a release branch, a
> new package will not be issued until they update the release branch and
> version tag.
I am sorry I do not see reference to it. You are convincing but I do
not see reference.
Recipe for bar-cursor:
(bar-cursor :repo "ajsquared/bar-cursor"
:fetcher github)
Recipe for magit:
(magit :fetcher github
:repo "magit/magit"
:files ("lisp/magit"
"lisp/magit*.el"
"lisp/git-rebase.el"
"Documentation/magit.texi"
"Documentation/AUTHORS.md"
"LICENSE"
(:exclude "lisp/magit-libgit.el"
;; Cannot remove this yet because it would
;; also be removed from the stable version.
;; "lisp/magit-section.el"
)))
Repo magit/magit:
https://github.com/magit/magit
I have given you references, maybe I cannot read that well, so you can
give me references to show if authors have participation in decision.
Jean
- Local variables issue - Re: One vs many directories, (continued)
- Local variables issue - Re: One vs many directories, Jean Louis, 2020/11/25
- Re: One vs many directories, Jean Louis, 2020/11/25
- Re: One vs many directories, Tim Cross, 2020/11/25
- Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages, tomas, 2020/11/25
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages, tomas, 2020/11/25
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/25
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/25
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/25
- Re: Security issues in Emacs packages,
Jean Louis <=
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/26
- Re: Security issues in Emacs packages, Greg Minshall, 2020/11/26
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/26
- Re: Security issues in Emacs packages, Greg Minshall, 2020/11/26
- Re: Security issues in Emacs packages, Tim Cross, 2020/11/26
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/26
- Re: Security issues in Emacs packages, Greg Minshall, 2020/11/26
- Re: Security issues in Emacs packages, Jean Louis, 2020/11/26
- Re: One vs many directories, Jean Louis, 2020/11/24
- Re: One vs many directories, Jean Louis, 2020/11/24