From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id oJp6DmQqwF8mGAAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 22:21:24 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id aK4vCmQqwF+6YgAAbx9fmQ (envelope-from ) for ; Thu, 26 Nov 2020 22:21:24 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8FAA89401C0 for ; Thu, 26 Nov 2020 22:21:23 +0000 (UTC) Received: from localhost ([::1]:42344 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kiPdi-00046U-IF for larch@yhetil.org; Thu, 26 Nov 2020 17:21:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41468) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiPdJ-00045m-S5 for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 17:20:57 -0500 Received: from mail-pf1-x42f.google.com ([2607:f8b0:4864:20::42f]:38348) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kiPdF-0007aa-Jm for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 17:20:57 -0500 Received: by mail-pf1-x42f.google.com with SMTP id w187so2741403pfd.5 for ; Thu, 26 Nov 2020 14:20:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:message-id :date:mime-version; bh=sqoVUGBCKnOboHTCeO4WglKnniSBKtDUnS4c1O7FwbY=; b=Ad7q4N4/cmwpF1v0eyqJ7O8/Ed5DGSJ2+GgL8kP7brSa+0VZxEXvzggESsgY37pnNg JkKiaFS7cuvnypkjJfM1G52wQ9lCEJbMEVybCZQbIQAVxgHe5lSLLjiPnkGMPJd6zn10 09aE9D5nmZVWPNK0IZFkW+kUGBGXmk7bVNDTFj+0aRhk9t9hCLhRiaL06QouKmHDRkMY f1Kx9DWD+/awKQYR4DHy4ug7oQ61I7aVP9fDz8qnPxOZ7NHyrwLvJsIUk5Mf8J4aDTUH BP9E6Vr72uJHCC+DM52gqQx3bQyhcaR4cPHPC6CFRK8y1Q2bX2Dgs55rhwwQ2HVt0z+b 0oSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:message-id:date:mime-version; bh=sqoVUGBCKnOboHTCeO4WglKnniSBKtDUnS4c1O7FwbY=; b=gcZYITlILJ35QwU0el5b5yY8dGurm3Q8/iS7t6e0DDRspl/5MCP3fGW+FlohZdtaho HfCpeE338SHeCbET/EB095fxLdr2HB5hXtRVM8AyVvkEHtFNLT6CpFmnxaoAF9Lam1TE Lk9jHJB4JVoNCZ9S9ap9zz5M3Z7sGBBtrwaqD1FryJkp+Gdbi1lQ+ODhjSbHn9JgNT+1 mbwG9c3d2CTtO4bkNi2fjR8IhAx0nax3kBOxhbR51VGvHeNeTTsnBjCcSVW8TzurVJkT 7SYjjfzcUgcbGkR0fIUJp/Jo8Wkq1P9LM7ZFfi52xF10J8+WWaN6Iqd0/ATk2EBkbUn0 5NNg== X-Gm-Message-State: AOAM533ZgdQ7V7HeuqH+ohlREY5S7O9K2MTRhJlThur7qxxkwNQUB4Su 1wSyE4Oha439u6Dt9pm5iYG4PXZzwAdWTg== X-Google-Smtp-Source: ABdhPJyL4c7NL1oIGDaqaAYBOd5/2XDWQC0elArgGAey3ZZ1cAZU+J6C/cBsQ81j47/rbu86jMlRlg== X-Received: by 2002:a63:5849:: with SMTP id i9mr4105218pgm.271.1606429248260; Thu, 26 Nov 2020 14:20:48 -0800 (PST) Received: from tim-desktop (220-235-7-247.dyn.iinet.net.au. [220.235.7.247]) by smtp.gmail.com with ESMTPSA id o133sm5459637pfg.97.2020.11.26.14.20.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 14:20:47 -0800 (PST) References: <875z5s62x3.fsf@gmail.com> <3505547.1606393642@apollo2.minshall.org> User-agent: mu4e 1.5.7; emacs 27.1.50 From: Tim Cross To: Greg Minshall Subject: Re: Security issues in Emacs packages In-reply-to: <3505547.1606393642@apollo2.minshall.org> Message-ID: <87wny74v5w.fsf@gmail.com> Date: Fri, 27 Nov 2020 09:20:43 +1100 MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::42f; envelope-from=theophilusx@gmail.com; helo=mail-pf1-x42f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org, Jean Louis Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.16 X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=gmail.com header.s=20161025 header.b=Ad7q4N4/; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-TUID: iJaZn0Mpsuk9 Greg Minshall writes: > Tim, > >> It could, but to get that level of assurance, you not only have to >> verify the signature is valid (something which is automated if >> enabled), you also need to verify that both packages have the exact >> same signature, which is pretty much a manual process. So in addition >> to telling you the version number, George would also need to >> communicate the signature and that would need to be compared to the >> signature you have in the package you downloaded to know that the >> packages are in fact the same (you cannot rely on version numbers for >> any real verification). > > if MELPA's release procedure prevented two separate releases of version > 1.2.3 of package xYandZ from being released, wouldn't that obviate the > requirement for George to give me signatures? that was my thought as to > why a signed (MELPA, version number, package name) would be enough. > (i've no idea if MELPA's procedures would actually conform to my > "requirement".) > Possibly, but I'm not sure it does/can. From my limited understanding, the version number is determined by the git tag (for stable packages - I think the date is used for unstable). This is as it should be as it should be the package maintainer who controls the version number, not the packaging service (especially for maintainers who use semantic versioning where the version number actually conveys information about the package). At the end of the day, this is essentially a supply chain problem. To really have confidence, you need confidence in the whole supply chain, not just the distribution centre. Personally, I wish both GNU and Melpa had adopted a push mechanism for package release. Something similar to npmjs.com where the package author/maintainer would submit a signed package (publish) to the repository. This would make it producers of the package code we trust, not the distribution center (repository). Main downside with that approach is you would also need a reliable mechanism for retrieving the public keys (there would be a lot more of them to manage). I also think this would be a model that is a lot easier to scale (something I think GNU will have problems with under their current model. -- Tim Cross