From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id WPovLWc8v18VMAAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 05:25:59 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OFADKWc8v1/TAgAAB5/wlQ (envelope-from ) for ; Thu, 26 Nov 2020 05:25:59 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 148A7940482 for ; Thu, 26 Nov 2020 05:25:59 +0000 (UTC) Received: from localhost ([::1]:45898 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ki9n2-0005CP-St for larch@yhetil.org; Thu, 26 Nov 2020 00:25:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:52298) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ki9mJ-0005CG-8s for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 00:25:11 -0500 Received: from static.rcdrun.com ([95.85.24.50]:41425) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ki9mC-0006TE-7g for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 00:25:09 -0500 Received: from localhost ([::ffff:41.202.241.56]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C0006.000000005FBF3C2D.0000120E; Thu, 26 Nov 2020 05:25:00 +0000 Date: Thu, 26 Nov 2020 08:24:52 +0300 From: Jean Louis To: Tim Cross Subject: Re: Security issues in Emacs packages Message-ID: References: <87zh36d1xn.fsf@web.de> <875z5uxzev.fsf@gmail.com> <87v9dt7wfa.fsf@gmail.com> <87mtz56omv.fsf@gmail.com> <87h7pd6m5u.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <87h7pd6m5u.fsf@gmail.com> User-Agent: Mutt/2.0 (3d08634) (2020-11-07) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: inc X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: 6M8ToXoQrXrP * Tim Cross [2020-11-26 02:40]: > > OK it is great that it is so. Are you maybe author doing it? Is there > > any reference that authors are doing so? I have MELPA downloaded you > > could tell me how do I see that author is deciding if package is for > > release? > > > > You can clone the melpa repository and see the recipes for each > package. I did before some time. > It depends on how the author specifies their MELPA recipe. They can > define their recipe based on a specific commit (SHA). If they do this, > it doesn't matter how often or when MELPA pulls from the repository as > they will always get the same commit. I have not seen that, and I have assumed you would know better and wanted to see how authors are reporting that package is ready for release and I do not see that. Recipes are like this: (0blayout :repo "etu/0blayout-mode" :fetcher github) (0x0 :url "https://git.sr.ht/~zge/nullpointer-emacs" :fetcher git) (0xc :fetcher github :repo "AdamNiederer/0xc") So that recipe alone does not tell me that author reports that new package is ready, it is fetched from git, but there are parts of code that I did not see that is why I am assuming you know it better. > Your model is flawed. You can have both automatic pulling AND author > control over when a new package is issued. To make it practical tell me where is that author's control? I have quick view of files and any recipe files in directory melpa/recipes do not give me any pointers, it is all automated and fetched from git. > If author defines their MELPA recipe to use a SHA a new package will not > be issued until they update their recipe with a new SHA. You seem to be very confident and for this reason I assume you know it better, but due to contradictions please show one practical recipe or package where author has control on when is package ready to be released. $ grep sha * on recipes does not give any reference. $ grep commit * eval-in-repl: :commit "origin/master") git-auto-commit-mode:(git-auto-commit-mode :fetcher github :repo "ryuslash/git-auto-commit-mode") git-commit:(git-commit :fetcher github git-commit: :files ("lisp/git-commit.el") git-commit: :old-names (git-commit-mode)) git-commit-insert-issue:(git-commit-insert-issue :fetcher gitlab :repo "emacs-stuff/git-commit-insert-issue") vc-auto-commit:(vc-auto-commit :fetcher github :repo "thisirs/vc-auto-commit") what-the-commit:(what-the-commit :fetcher github what-the-commit: :repo "danielbarbarito/what-the-commit.el") So there is nothing I can find that points or references to what you say. > If author defines their MELPA recipe to pull from a release branch, a > new package will not be issued until they update the release branch and > version tag. I am sorry I do not see reference to it. You are convincing but I do not see reference. Recipe for bar-cursor: (bar-cursor :repo "ajsquared/bar-cursor" :fetcher github) Recipe for magit: (magit :fetcher github :repo "magit/magit" :files ("lisp/magit" "lisp/magit*.el" "lisp/git-rebase.el" "Documentation/magit.texi" "Documentation/AUTHORS.md" "LICENSE" (:exclude "lisp/magit-libgit.el" ;; Cannot remove this yet because it would ;; also be removed from the stable version. ;; "lisp/magit-section.el" ))) Repo magit/magit: https://github.com/magit/magit I have given you references, maybe I cannot read that well, so you can give me references to show if authors have participation in decision. Jean