From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id cBchOUE9v18nNQAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 05:29:37 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id uyrYNEE9v1/aHgAAbx9fmQ (envelope-from ) for ; Thu, 26 Nov 2020 05:29:37 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1A6D2940482 for ; Thu, 26 Nov 2020 05:29:37 +0000 (UTC) Received: from localhost ([::1]:50380 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ki9qZ-0007Lr-40 for larch@yhetil.org; Thu, 26 Nov 2020 00:29:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53036) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ki9qC-0007Lg-1z for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 00:29:12 -0500 Received: from hiwela.pair.com ([209.68.5.201]:54553) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ki9qA-0007yd-CT for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 00:29:11 -0500 Received: from hiwela.pair.com (localhost [127.0.0.1]) by hiwela.pair.com (Postfix) with ESMTP id 51127980636; Thu, 26 Nov 2020 00:29:04 -0500 (EST) Received: from minshall-entroware-apollo.cliq.com (unknown [88.236.240.236]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by hiwela.pair.com (Postfix) with ESMTPSA id 1D3628F0954; Thu, 26 Nov 2020 00:29:04 -0500 (EST) Received: from apollo2.minshall.org (localhost [IPv6:::1]) by minshall-entroware-apollo.cliq.com (Postfix) with ESMTP id C81CA602FD; Thu, 26 Nov 2020 08:29:02 +0300 (+03) From: Greg Minshall To: Tim Cross Subject: Re: Security issues in Emacs packages In-reply-to: Your message of "Thu, 26 Nov 2020 09:46:32 +1100." <87mtz56omv.fsf@gmail.com> X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 27.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3493480.1606368542.1@apollo2.minshall.org> Date: Thu, 26 Nov 2020 08:29:02 +0300 Message-ID: <3493481.1606368542@apollo2.minshall.org> Received-SPF: softfail client-ip=209.68.5.201; envelope-from=minshall@umich.edu; helo=hiwela.pair.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org, Jean Louis Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: inc X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=umich.edu (policy=none); spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -0.91 X-TUID: 2/x7tbQ+ZYCa Tim, > I think you missed my point. There is no benefit in MELPA adopting > signed packages because there is no formal code review and no vetting > of the individuals who submit the code. it occurs to me there might be one benefit: if George, whom you trust, says, "I've been running version 1.2.3 of package xYandZ from MELPA and i have a lot of confidence in it", then if you find that version of that package with a trusted MELPA signature, you maybe know that you and George are running the same software. i.e., it helps with the "web of trust" (if people still talk of that). (so, the requirement for this is not audited packages, but a solid, "secure", release procedure by MELPA.) cheers, Greg