emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
From: Jean Louis <bugs@gnu.support>
To: Tim Cross <theophilusx@gmail.com>
Cc: emacs-orgmode@gnu.org
Subject: Re: Security issues in Emacs packages
Date: Thu, 26 Nov 2020 02:07:00 +0300	[thread overview]
Message-ID: <X77jlBDGaVeF9/u+@protected.rcdrun.com> (raw)
In-Reply-To: <87mtz56omv.fsf@gmail.com>

* Tim Cross <theophilusx@gmail.com> [2020-11-26 01:47]:
> I think you missed my point. There is no benefit in MELPA adopting
> signed packages because there is no formal code review and no vetting of
> the individuals who submit the code.

Do you think it is really their reason? Or maybe you are developer in
MELPA?

There is still difference if package comes from MELPA or from third
party archive, definitely signing would say this package was signed by
MELPA and other package was not signed by trusted key, so who is that?
Is the MD5SUM same as original? It would give some initiative to
investigate.

Packages are not audited that is so. I think audit can be quick by
using grep for some dangerous commands, I have already found rm -rf as
example command in one of packages, not as malicious one. One could
search for (shell-command and verify such and similar functions.

> If you have no controls in place over the contents of what is being
> signed, the value of the signatures as a security measure is
> drastically reduced. Yes, the valid signature may provide some
> assurances as to where the package originated, but that means little
> if the contents could be anything.

What you explain is logical to me, users though need better
information. One big DANGER should be given to users.

> As it stands, the signing of ELPA packages only provides assurance that
> they are packages assembled by GNU. These signatures do not provide any
> real assurance regarding the content of the packages other than they are
> GPL's and do not recommend or encourage the use of non-free
> software.

There is no absolute. Signing says about origins. Mirrors are placed
anywhere in the world, including behind Internet. It is one way for
users to verify origin and if source has been changed.

> The question is what level of trust should you assume. With ELPA, all
> you can really trust is that the package has a GPL license and does not
> recommend/require the use of non-free software. There is little trust
> that the package does not do something malicious or includes code which
> may compromise the user's security. to provide that level of assurance,
> you would need formal code reviews, which is not feasible given
> available resources.

Last month I could see that several packages were here and there
improved by developers so they do look into code and how much they do
I cannot know.

> I think it is important users are aware of this
> limitation. Furthermore, I ask the question "Does having signed
> packages imply a level of expected assurance which is higher than it
> really is?"  In other words, do users expect that a package is
> completely safe just because it was downloaded from an official GNU
> ELPA repository?

Download numbers on MELPA tells me that answer should be rather
positive, any package is safe to be installed. See
numbers. Information is no enough to teach users. More attention is
necessary. 

> Last time I looked, ELPA also supported 'external' packages where the
> data is retrieved from an external git repository. I think org is one
> such package.

Majority of GNU ELPA packages are external how I know about it, but
authors decide WHEN to upload them.

> > The point number (1) is human, not automated. Author decides when is
> > the package ripe for distribution and what is "release".
> >
> > Git repository is never release and not meant to be "release". Git is
> > for collaborative development and users are made blind that it is some
> > kind of release while it is not. One shall always assume that Git
> > repository contains development versions not ready for public.
> >
> 
> Why? This is not normal. Git repositories contain all versions, both
> production and development. What is production and what is development
> is managed through branches and tags. Anyone who wants can clone the
> ELPA git repository.

How I see practically, people hack on git master branches and main
branch need not be considered release ready. Git hosting websites then
have special section for releases. Git branch is not a release
according to what I know, it is revision control system or version
control system. Git often looks pretty different than release as
package. Of course everybody can clone. Point is that software is no
ripe. Maybe somebody else knows if Git can tell that software is ripe,
what I know it is not so. Author has to say when it is ripe for
release. 

> > MELPA pulls those packages, correct me if I am wrong, automatically
> > from Git repositories without regard if the package is actually
> > release. That does not align or respect the established Emacs
> > conventions how packages should be released, if they are multi files
> > they should be in .tar file otherwise .el and there are version
> > numbers that MELPA fiddles with and makes possible conflicts and
> > introduces confusions.
> 
> this is wrong. In melpa you specify either a commit (SHA) or a branch or
> both. The repository owner has control over this. MELPA doesn't just
> pull data from the repository because there has bene an update. You can
> configure things so that whenever data is committed to a release branch,
> it is pulled, but this is under the control of the repository owner. It
> isn't that different to ELPA where the maintainer will either push new
> data to the ELPA repository (or ask someone with write permission to
> pull it from their repository).

OK it is great that it is so. Are you maybe author doing it? Is there
any reference that authors are doing so? I have MELPA downloaded you
could tell me how do I see that author is deciding if package is for
release?

> You imply authors do not have control over when new releases are made.
> This is not the case. They have full control.

Sure they have for themselves. Do they have it for MELPA?

> The situation with ELPA is not much better. Yes, the authors are
> required to sign over copyright, but what does that really tell you
> about the author. How much vetting is done to verify those copyright
> assignments? How much vetting is done to verify the identities of those
> people? More importantly, how much of the code is formally reviewed?

Valid questions!

> The assumption that because a package is from ELPA it is safe is
> wrong.

Safer, not safe.

Assumption by majority is that any packages from anywhere are
safe. Downloads prove it.

> So how big a risk are ELPA packages in reality? This is a difficult
> thing to quantify. Yes, I do think there is lower risk with ELPA than
> MELPA because even informal review is better than no review.

Side note: ELPA is protocol, GNU ELPA is repository. MELPA ELPA should
be rather more correct name.

I can see all those points and I would like there is better code review.

> > For that reason MELPA's automatic pulling of packages and race to
> > offer "large package repository" is rather by its design detrimental
> > for future. I hope it will change, but currently that is unlikely.
> >
> The automatic pulling is not the issue. As long as there is no formal
> review of code in packages, any method used is vulnerable.

So is there automatic pulling?

I compare automatic pulling and building to author's decision on when
a package would be issued.

Jean


  reply	other threads:[~2020-11-25 23:08 UTC|newest]

Thread overview: 151+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-21  0:33 One vs many directories Texas Cyberthal
2020-11-21  5:13 ` Ihor Radchenko
2020-11-21  7:56   ` Jean Louis
2020-11-21  8:31     ` Texas Cyberthal
2020-11-21  9:29       ` Marvin ‘quintus’ Gülker
2020-11-21 10:21       ` Jean Louis
2020-11-21 15:00         ` Texas Cyberthal
2020-11-21 16:08           ` Jean Louis
2020-11-21 15:03     ` Dr. Arne Babenhauserheide
2020-11-21 15:45       ` Texas Cyberthal
2020-11-21 17:12         ` Jean Louis
2020-11-21 18:01           ` Texas Cyberthal
2020-11-21 18:57             ` Jean Louis
2020-11-22  6:36           ` Ihor Radchenko
2020-11-22  7:20             ` Jean Louis
2020-11-22  8:32               ` Ihor Radchenko
2020-11-22  8:56                 ` Jean Louis
2020-11-21 22:36         ` Dr. Arne Babenhauserheide
     [not found]           ` <CAMUm491Psp0u5JKyGROP6M=UfAcvOLTtOKAD1rOearV+KxgYdQ@mail.gmail.com>
     [not found]             ` <87r1olfvh4.fsf@web.de>
2020-11-23  9:50               ` Texas Cyberthal
2020-11-23 13:17                 ` Jean Louis
2020-11-23 14:16                   ` Ihor Radchenko
2020-11-23 18:08                     ` Is Org really so simple? Jean Louis
2020-11-23 20:41                       ` Tom Gillespie
2020-11-24  5:06                         ` Jean Louis
2020-11-26  3:08                       ` Ihor Radchenko
2020-11-26  8:57                         ` Jean Louis
2020-11-29  7:20                           ` Ihor Radchenko
2020-11-29 16:22                             ` Jean Louis
2020-11-26 18:07                         ` Dr. Arne Babenhauserheide
2020-11-26 23:09                       ` David Rogers
2020-11-27  0:43                         ` Tim Cross
2020-11-27  2:56                         ` Jean Louis
2020-11-23 16:07                   ` One vs many directories Texas Cyberthal
2020-11-23 19:20                     ` Jean Louis
2020-11-24  7:55                       ` Ihor Radchenko
2020-11-28 16:16                         ` Jean Louis
2020-11-28 16:33                           ` Christopher Dimech
2020-11-25  6:57                       ` Texas Cyberthal
2020-11-25  9:51                         ` Jean Louis
2020-11-25 10:39                           ` Texas Cyberthal
2020-11-25 11:02                             ` Jean Louis
2020-11-26 16:04                               ` Texas Cyberthal
2020-11-26 17:31                                 ` Jean Louis
2020-11-27  9:00                                   ` Texas Cyberthal
2020-11-27 10:45                                     ` Jean Louis
2020-11-28  8:18                                       ` Texas Cyberthal
2020-11-28 10:09                                         ` Jean Louis
2020-11-29  6:18                                           ` Texas Cyberthal
2020-11-29  6:53                                             ` Jean Louis
2020-11-30  7:35                                               ` Texas Cyberthal
2020-11-30  7:50                                                 ` Ihor Radchenko
2020-11-30 10:25                                                   ` Texas Cyberthal
2020-11-30 10:57                                                 ` Jean Louis
2020-11-30 12:27                                                   ` Ihor Radchenko
2020-11-30 12:28                                                   ` Ihor Radchenko
2020-11-30 19:00                                                     ` Jean Louis
2020-12-02  2:56                                                       ` Ihor Radchenko
2020-12-02  6:14                                                         ` Jean Louis
2020-12-02  7:23                                                           ` Ihor Radchenko
2020-11-21 16:55       ` Jean Louis
2020-11-21 22:48         ` Dr. Arne Babenhauserheide
2020-11-22  0:48           ` Jean Louis
2020-11-22  2:47             ` briangpowell
2020-11-22 17:55               ` Jean Louis
2020-11-21  6:12 ` Palak Mathur
2020-11-21  9:04   ` Jean Louis
2020-11-21  6:36 ` Jean Louis
2020-11-21  7:17   ` Texas Cyberthal
2020-11-21  9:53     ` Jean Louis
2020-11-21 10:15       ` Tim Cross
2020-11-21 11:18         ` Jean Louis
2020-11-21 14:44       ` Texas Cyberthal
2020-11-21 15:45         ` Jean Louis
2020-11-23  5:40     ` Ihor Radchenko
2020-11-24  9:00       ` Jean Louis
2020-11-24  9:45         ` Eric S Fraga
2020-11-24  9:51           ` Jean Louis
2020-11-24 11:42             ` Eric S Fraga
2020-11-24 13:13               ` Diego Zamboni
2020-11-24 13:49                 ` Jean Louis
2020-11-24 17:02                 ` Jean Louis
2020-11-24 18:50                   ` Dr. Arne Babenhauserheide
2020-11-24 18:58                     ` Jean Louis
2020-11-25  6:39                       ` Tim Cross
2020-11-25 12:38                         ` Local variables insecurities - " Jean Louis
2020-11-25 13:05                           ` Eric S Fraga
2020-11-25 13:13                             ` Jean Louis
2020-11-25 13:58                               ` Eric S Fraga
2020-11-25 14:07                                 ` Jean Louis
2020-11-25 20:54                                   ` Tim Cross
2020-11-25 22:09                                     ` Jean Louis
2020-11-26  2:06                                       ` Tom Gillespie
2020-11-26  5:06                                         ` Jean Louis
2020-11-26  5:31                                         ` Jean Louis
2020-11-26  6:18                                           ` Tom Gillespie
2020-11-26  9:10                                             ` Jean Louis
2020-11-26 11:44                                           ` Detlef Steuer
2020-11-26 12:06                                             ` Jean Louis
2020-11-26  5:34                                         ` Greg Minshall
2020-11-26  5:49                                           ` Jean Louis
2020-11-26  8:39                             ` Christian Moe
2020-11-25  8:10                       ` Dr. Arne Babenhauserheide
2020-11-25  8:36                         ` Local variables liberties Jean Louis
2020-11-24 20:11                     ` One vs many directories Tom Gillespie
2020-11-24 20:39                       ` Tim Cross
2020-11-25  4:54                         ` Jean Louis
2020-11-25  5:54                           ` Tim Cross
2020-11-25  7:01                             ` Local variables issue - " Jean Louis
2020-11-25  5:06                         ` Jean Louis
2020-11-25  7:00                           ` Tim Cross
2020-11-25  8:23                             ` Security issues in Emacs packages Jean Louis
2020-11-25  9:07                               ` tomas
2020-11-25  9:26                                 ` Jean Louis
2020-11-25 10:41                                   ` tomas
2020-11-25 22:46                               ` Tim Cross
2020-11-25 23:07                                 ` Jean Louis [this message]
2020-11-25 23:39                                   ` Tim Cross
2020-11-26  5:24                                     ` Jean Louis
2020-11-26  6:46                                       ` Tim Cross
2020-11-26  5:29                                 ` Greg Minshall
2020-11-26  5:53                                   ` Jean Louis
2020-11-26  6:35                                   ` Tim Cross
2020-11-26 12:27                                     ` Greg Minshall
2020-11-26 22:20                                       ` Tim Cross
2020-11-27  2:19                                         ` Jean Louis
2020-11-27  4:42                                         ` Greg Minshall
2020-11-25  4:44                       ` One vs many directories Jean Louis
2020-11-25 10:19           ` org-sbe to automate some source block executions Jean Louis
2020-11-25 11:39             ` Ihor Radchenko
2020-11-25 15:06               ` Jean Louis
2020-11-25 11:46           ` One vs many directories Jean Louis
2020-11-25 13:07             ` Eric S Fraga
2020-11-25 13:14               ` Jean Louis
2020-11-25 13:12             ` Ihor Radchenko
2020-11-25 13:32               ` Jean Louis
2020-11-24 18:47         ` Dr. Arne Babenhauserheide
2020-11-24 18:54           ` Jean Louis
2020-11-25  8:14             ` Dr. Arne Babenhauserheide
2020-11-25  8:46               ` Jean Louis
2020-11-25 11:46                 ` Ihor Radchenko
2020-11-26 12:47                   ` Jean Louis
2020-11-26 13:27                     ` Ihor Radchenko
2020-12-02 10:12                       ` Jean Louis
2020-12-02  9:49                   ` Jean Louis
2020-11-26  3:47           ` Ihor Radchenko
2020-11-26  3:32         ` Ihor Radchenko
2020-11-26 11:58           ` Jean Louis
2020-11-29  7:56             ` Ihor Radchenko
2020-11-29 17:57               ` Jean Louis
2020-11-21 13:41 ` Jonathan McHugh
2020-11-21 14:04   ` Jean Louis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=X77jlBDGaVeF9/u+@protected.rcdrun.com \
    --to=bugs@gnu.support \
    --cc=emacs-orgmode@gnu.org \
    --cc=theophilusx@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).