From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id yCjGAmKfv18VbQAA0tVLHw
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 26 Nov 2020 12:28:18 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id EAI2OmGfv187XAAA1q6Kng
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 26 Nov 2020 12:28:17 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id B16C59405D0
	for <larch@yhetil.org>; Thu, 26 Nov 2020 12:28:16 +0000 (UTC)
Received: from localhost ([::1]:47718 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	id 1kiGNi-0007kQ-GH
	for larch@yhetil.org; Thu, 26 Nov 2020 07:28:14 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:55520)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <minshall@umich.edu>)
 id 1kiGMx-0007he-Gy
 for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 07:27:27 -0500
Received: from hiwela.pair.com ([209.68.5.201]:50725)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <minshall@umich.edu>)
 id 1kiGMv-0000Rg-Ms
 for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 07:27:27 -0500
Received: from hiwela.pair.com (localhost [127.0.0.1])
 by hiwela.pair.com (Postfix) with ESMTP id 2C517980674;
 Thu, 26 Nov 2020 07:27:24 -0500 (EST)
Received: from minshall-entroware-apollo.cliq.com (unknown [88.236.240.236])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by hiwela.pair.com (Postfix) with ESMTPSA id EB45C8F0954;
 Thu, 26 Nov 2020 07:27:23 -0500 (EST)
Received: from apollo2.minshall.org (localhost [IPv6:::1])
 by minshall-entroware-apollo.cliq.com (Postfix) with ESMTP id 9B72B602F6;
 Thu, 26 Nov 2020 15:27:22 +0300 (+03)
From: Greg Minshall <minshall@umich.edu>
To: Tim Cross <theophilusx@gmail.com>
Subject: Re: Security issues in Emacs packages
In-reply-to: Your message of "Thu, 26 Nov 2020 17:35:36 +1100."
 <875z5s62x3.fsf@gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.1
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3505546.1606393642.1@apollo2.minshall.org>
Date: Thu, 26 Nov 2020 15:27:22 +0300
Message-ID: <3505547.1606393642@apollo2.minshall.org>
Received-SPF: softfail client-ip=209.68.5.201; envelope-from=minshall@umich.edu;
 helo=hiwela.pair.com
X-Spam_score_int: -11
X-Spam_score: -1.2
X-Spam_bar: -
X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-orgmode@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Cc: emacs-orgmode@gnu.org, Jean Louis <bugs@gnu.support>
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: "Emacs-orgmode" <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: inc
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=umich.edu (policy=none);
	spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org
X-Spam-Score: 0.59
X-TUID: yDymDT0wgIei

Tim,

> It could, but to get that level of assurance, you not only have to
> verify the signature is valid (something which is automated if
> enabled), you also need to verify that both packages have the exact
> same signature, which is pretty much a manual process. So in addition
> to telling you the version number, George would also need to
> communicate the signature and that would need to be compared to the
> signature you have in the package you downloaded to know that the
> packages are in fact the same (you cannot rely on version numbers for
> any real verification).

if MELPA's release procedure prevented two separate releases of version
1.2.3 of package xYandZ from being released, wouldn't that obviate the
requirement for George to give me signatures?  that was my thought as to
why a signed (MELPA, version number, package name) would be enough.
(i've no idea if MELPA's procedures would actually conform to my
"requirement".)

cheers, Greg