From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id QBi2D10Bvl+kDgAA0tVLHw (envelope-from ) for ; Wed, 25 Nov 2020 07:01:49 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id QIyRC10Bvl9ifQAA1q6Kng (envelope-from ) for ; Wed, 25 Nov 2020 07:01:49 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8EB7F940363 for ; Wed, 25 Nov 2020 07:01:48 +0000 (UTC) Received: from localhost ([::1]:53304 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khooF-0004fb-Hf for larch@yhetil.org; Wed, 25 Nov 2020 02:01:47 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41966) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khonS-0004f5-8L for emacs-orgmode@gnu.org; Wed, 25 Nov 2020 02:00:58 -0500 Received: from mail-pl1-x62d.google.com ([2607:f8b0:4864:20::62d]:40732) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1khonL-0001bi-QS for emacs-orgmode@gnu.org; Wed, 25 Nov 2020 02:00:57 -0500 Received: by mail-pl1-x62d.google.com with SMTP id p6so646776plr.7 for ; Tue, 24 Nov 2020 23:00:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:message-id :date:mime-version; bh=45zIgkXr8tFbgVKEI8jryDyRkArD4ryBUae4ZldcYiw=; b=r7CmwGmZe/IcXngvtqlhfIcJrGFW+g0S8/wbuPwabZ3zcOa9YDwiGQiZSQY7QAyV7E Kd4AXx5ON/i1AMm/FLRSbg037i9vQ7bHUQlvV+gwTIopi5oN90RXAj8JgGvvUNPzFNoh C0iqwEF+0lBR2p80owJtNIQXDqGZSaLkH6mjlGjnT/pApUfCBIJNmHyTBI4m1nv55yYJ qDdFSRela/pHbwdYvngQ7YbXCse6ef5tUAuS0SHxH5+TYz7HcTJKv6eZEKg7OcF6iaaE GGkOtxZO0V/HX2kzYzYaW+1V2IfqzlV2B/VRN5nMfjOOQJ1IpaG5wM3+MX1/o1kdJZ7i pQ3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:message-id:date:mime-version; bh=45zIgkXr8tFbgVKEI8jryDyRkArD4ryBUae4ZldcYiw=; b=img9F8PYDIU/423R9xHzFrbppi/G/kiJUFiqLyCUmKc5T6qN3LvriCyRvT4EzhM3yP XhVGFKnIFBh3oaQUx6qIjhvGTTCbdu+LXxxpdC/UPE9yq3G7rKGJmQqSq/zKQEN6TRgk f2ZddoOeAMJV4J8c8LTt6a2lNcXo3vP4lrWQoNl07rsH8vS/0LFiYB7WETobAo+OaXIS 7khqhozb0iyC8SrGVihPu2MiXtjjC/mDvqKrNXyE8c9Ur+dAeIAe8zVjZgykrJ6Hc1gb BYcirAkOfKf9gdKiHrFk3p/5/KT4YzHgZK1RKnPCSKZnmcMSYTsr7qMlJLGBgrowBgRC un6g== X-Gm-Message-State: AOAM532uDmQYNiwVFoZ+pi8iv8wLJLsBndmTP6DI+HvuM8BW6iOJnlVf rmDv1wkHaVDLjxOvEgftipwpVXS8V4KUhA== X-Google-Smtp-Source: ABdhPJwALF3BkPOxMBgbbtA0seez+Y8l0LffFjTGSPf4u8f2YZgiVc1QQ5H+qR5DMqroiSe1ToqQ+Q== X-Received: by 2002:a17:902:d702:b029:da:2f28:cc85 with SMTP id w2-20020a170902d702b02900da2f28cc85mr230581ply.64.1606287646272; Tue, 24 Nov 2020 23:00:46 -0800 (PST) Received: from tim-desktop (220-235-2-238.dyn.iinet.net.au. [220.235.2.238]) by smtp.gmail.com with ESMTPSA id j5sm1133937pgs.13.2020.11.24.23.00.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Nov 2020 23:00:45 -0800 (PST) References: <87mtz84om9.fsf@localhost> <87ft4zhyuo.fsf@disroot.org> <877dqbhtgf.fsf@ucl.ac.uk> <87zh36d1xn.fsf@web.de> <875z5uxzev.fsf@gmail.com> User-agent: mu4e 1.5.7; emacs 27.1.50 From: Tim Cross To: Jean Louis Subject: Re: One vs many directories In-reply-to: Message-ID: <87v9dt7wfa.fsf@gmail.com> Date: Wed, 25 Nov 2020 18:00:41 +1100 MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::62d; envelope-from=theophilusx@gmail.com; helo=mail-pl1-x62d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=r7CmwGmZ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -1.71 X-TUID: 8wm6riUW1gDz Jean Louis writes: > * Tim Cross [2020-11-24 23:40]: >> If people are really concerned about security, they should look first at >> their use of repositories like MELPA. There is no formal review or >> analysis of packages in these repositories, yet people will happily >> select some package and install it. > > Interesting that you are one who mentions that. There are just few > people ever mentioned it. > > I am still in process of the review of MELPA packages and its > system. There are many security issues. > > Package signing is one example. It does not offer much of security > when packages are signed automatically, but it raises level of > security. > > MELPA packages and archive-contents are not PGP signed, while GNU ELPA > packages are signed. > IMO signing of packages is irrelevant when there is no formal review process or even any formal process to verify the credentials of signatures. In fact, just adding signing would likely be coutner-productive as it would give the impression of some sort of security where there is none. Basically, anyone can upload anything to MELPA. The only way anyone would find out that an uploaded package has malicious code is if someone does a code review and spots the malicious payload. Even once they find that, there is little chance of being able to attribute the actions to any individual because no real identity vetting is conducted. MELPA is the wild west. The new non-GNU repository has bene setup precisely due to both the licensing issue and the fact many MELPA packages recommend/encourage the use of non-free software/services. While non-GNU will improve this situation, I don't believe there are any plans to actively review the code in the packages. So, like MELPA, all you really have to go on is package reputation. You cannot have any high level of confidence a package does not contain malicious code other than an expectation that if it is used by a sufficiently large enough number of users, it is unlikely. this is not an issue unique to Emacs. You only have to look at the issues both Google's play store and Apples app store have had in the past to see what the risks are. Both Google and Apple have put large amounts of resources into trying to ensure their repository content is safe and yet they still have failures. Something like GNU Emacs has nowhere near the same resources, so is unlikely to come even close to the same level of security.