From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id EF6wMaluv19xOQAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 09:00:25 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id GKh2Laluv196KAAAbx9fmQ (envelope-from ) for ; Thu, 26 Nov 2020 09:00:25 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6D7FE940340 for ; Thu, 26 Nov 2020 09:00:25 +0000 (UTC) Received: from localhost ([::1]:42276 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kiD8a-0003Xm-BI for larch@yhetil.org; Thu, 26 Nov 2020 04:00:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48266) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiD83-0003Wa-GX for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 03:59:51 -0500 Received: from static.rcdrun.com ([95.85.24.50]:40687) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiD81-0002SP-So for emacs-orgmode@gnu.org; Thu, 26 Nov 2020 03:59:51 -0500 Received: from localhost ([::ffff:41.202.241.56]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C0010.000000005FBF6E83.00002A43; Thu, 26 Nov 2020 08:59:47 +0000 Date: Thu, 26 Nov 2020 08:53:42 +0300 From: Jean Louis To: Greg Minshall Subject: Re: Security issues in Emacs packages Message-ID: References: <87mtz56omv.fsf@gmail.com> <3493481.1606368542@apollo2.minshall.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <3493481.1606368542@apollo2.minshall.org> User-Agent: Mutt/2.0 (3d08634) (2020-11-07) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-Spam_score_int: -2 X-Spam_score: -0.3 X-Spam_bar: / X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tim Cross , emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: inc X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: btpYY/CnaZjr * Greg Minshall [2020-11-26 08:29]: > Tim, > > > I think you missed my point. There is no benefit in MELPA adopting > > signed packages because there is no formal code review and no vetting > > of the individuals who submit the code. > > it occurs to me there might be one benefit: if George, whom you trust, > says, "I've been running version 1.2.3 of package xYandZ from MELPA and > i have a lot of confidence in it", then if you find that version of that > package with a trusted MELPA signature, you maybe know that you and > George are running the same software. i.e., it helps with the "web of > trust" (if people still talk of that). > > (so, the requirement for this is not audited packages, but a solid, > "secure", release procedure by MELPA.) Maybe principles from Freenet Web of Trust could be somehow implemented for Emacs users and our discussions. https://www.draketo.de/english/freenet/friendly-communication-with-anonymity