From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id kJXIB/xMv1/iLAAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 06:36:44 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id GE2cA/xMv18UNAAAB5/wlQ (envelope-from ) for ; Thu, 26 Nov 2020 06:36:44 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 637159405D4 for ; Thu, 26 Nov 2020 06:36:42 +0000 (UTC) Received: from localhost ([::1]:36946 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kiAtV-0001b5-CK for larch@yhetil.org; Thu, 26 Nov 2020 01:36:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:36310) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiAsc-0001aA-LV for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 01:35:46 -0500 Received: from mail-pl1-x62f.google.com ([2607:f8b0:4864:20::62f]:38157) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kiAsa-0005ND-2q for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 01:35:46 -0500 Received: by mail-pl1-x62f.google.com with SMTP id l1so655907pld.5 for ; Wed, 25 Nov 2020 22:35:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:message-id :date:mime-version; bh=RqRyPMsdTlY9wAGGakYJN/3v6r0/sVrswJfiX/waEe4=; b=pQGoKvYDZHwns+pI4/ZtfaSFiuIGSwKX19+As+HJgU39owSOMf4WlVfZs+C14yjZj/ osRP8lmWfA1W81ZtUz5GwC54PdFZ1kHMgLOYmFuA5SIYt5HBhzrX+vPdNOk6wqiJW4oJ h5aHloXUU+FXbcz1nEmYqFqoGZqy4VVGQr3+YaBl70hLp3InENJJwsRYKx9jtJchSO/y R8fbFNsBTi5B5zq2hGhXpqZDn7CNeDiS1F1aaoZGmGMlmB9ShOJOu9unsu2lI3//n1uH rZf9lkkD0REmOyXRrUjHycooipHfQBib5u85kaS7y21usXWImJxOH/SWSiyNmAHlzV4F NLSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:message-id:date:mime-version; bh=RqRyPMsdTlY9wAGGakYJN/3v6r0/sVrswJfiX/waEe4=; b=l9ndLQ7xutLIoHa0tA4NvD6FRkjgRZTf4emujnMFTcdL8vNi5OSuyIipdG7/usxBg/ CfcCiqDnQTpA8dDJ+b6qwKUDqgXhk1wdpt1N33OzPyRkm7R/FyJ5d3lTdUXhs4Ag4XLq Ot0/xAvXCbtguz/eua+sgya99a2sneepEA1Cyx7lFZiS4yb3xK1FaqDM2Danibz4Oo8k fC5nI8XD6xqBoKtBf5jQIiuDnAiHMb78QZot4h7CD5lS/IJin1eynAVbMnks2/PhaIAH QgkzfvM1+6eui1SF0IgU0JachKTzuaMZXfiCflx3ja7mdwM7TdFQADaJue51T5EB2Y3C h4GA== X-Gm-Message-State: AOAM532UbWYShvRLoDAhHlZ/Yr4B/Xb1REK2grYpwXuaT4xC7sAgF4O+ yCV41sswuGnCCUqsdDia1ErgbzSdI52woQ== X-Google-Smtp-Source: ABdhPJx78pY/ypbIS4ifCVOBAmAePC5ckqjOjf9HyewPPezoUTChf76GfrZOSKO08TehhFXyzW0o+g== X-Received: by 2002:a17:902:bd09:b029:d9:f7c8:6210 with SMTP id p9-20020a170902bd09b02900d9f7c86210mr1507650pls.80.1606372542465; Wed, 25 Nov 2020 22:35:42 -0800 (PST) Received: from tim-desktop (106-69-100-122.dyn.iinet.net.au. [106.69.100.122]) by smtp.gmail.com with ESMTPSA id o132sm3592483pfg.100.2020.11.25.22.35.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Nov 2020 22:35:41 -0800 (PST) References: <87mtz56omv.fsf@gmail.com> <3493481.1606368542@apollo2.minshall.org> User-agent: mu4e 1.5.7; emacs 27.1.50 From: Tim Cross To: Greg Minshall Subject: Re: Security issues in Emacs packages In-reply-to: <3493481.1606368542@apollo2.minshall.org> Message-ID: <875z5s62x3.fsf@gmail.com> Date: Thu, 26 Nov 2020 17:35:36 +1100 MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::62f; envelope-from=theophilusx@gmail.com; helo=mail-pl1-x62f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org, Jean Louis Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: inc X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=gmail.com header.s=20161025 header.b=pQGoKvYD; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: weco8lC1QB4i Greg Minshall writes: > Tim, > >> I think you missed my point. There is no benefit in MELPA adopting >> signed packages because there is no formal code review and no vetting >> of the individuals who submit the code. > > it occurs to me there might be one benefit: if George, whom you trust, > says, "I've been running version 1.2.3 of package xYandZ from MELPA and > i have a lot of confidence in it", then if you find that version of that > package with a trusted MELPA signature, you maybe know that you and > George are running the same software. i.e., it helps with the "web of > trust" (if people still talk of that). > > (so, the requirement for this is not audited packages, but a solid, > "secure", release procedure by MELPA.) > It could, but to get that level of assurance, you not only have to verify the signature is valid (something which is automated if enabled), you also need to verify that both packages have the exact same signature, which is pretty much a manual process. So in addition to telling you the version number, George would also need to communicate the signature and that would need to be compared to the signature you have in the package you downloaded to know that the packages are in fact the same (you cannot rely on version numbers for any real verification). Signatures are a good thing and MELPA should implement them. However, what they are really useful for is ensuring the package you have downloaded has not been modified since it was created and signed. -- Tim Cross