Re: ELPA security

From:

Paul Nathan

Subject:

Re: ELPA security

Date:

Wed, 26 Dec 2012 09:32:44 -0800

On Sat, Dec 22, 2012 at 8:20 AM, Stefan Monnier <address@hidden> wrote:

> I also think `M-x list-packages' should define a `v' shortcut to file-find
> the .el file or tarball that constitutes the package without installing
> it. That will contribute to security and it's really convenient, too.

Actually, "installation" has several steps:
- download.
- install per se (i.e. copies the files at an appropriate place).
- compile.
- setup (i.e. arrange things such that the package is in the load-path
and its autoloads are active next time to start Emacs).

The first two steps can be made to be safe.

Stefan

Hullo,

I would like to humbly provide some ideas here:

- In general, GNU is trusted (after all, we download our emacs from the GNU). This would imply to me that the GNU can GPG sign packages with a private/public key (Perhaps the precursor to this is emacs having a gpg implementation included).

- Then perhaps other repositories, such as marmalade could also sign their packages, and users could choose to trust that signature or not.

- Of course, this is analogous to the Debian/Launchpad/PPA approach, which has worked excellently for me and others. It may require quite a great deal of infrastructure work which I am entirely unfamiliar with.

Regards,

Paul