MELPA issues - Re: Proposal for an Emacs User Survey

[Jean Louis]

* Marcel Ventosa <mve1@runbox.com> [2020-10-16 09:03]:
> On Thu, 15 Oct 2020 23:59:07 -0400
> Richard Stallman <rms@gnu.org> wrote:
> 
> > I hope that only a minority of Emacs users know about MELPA, and I'd
> > rather not inform the rest about it.  But if something is going to
> > inform them anyway, it is better to do it with a denunciation.
> 
> 
> I've been using Emacs (and MELPA) for the best part of a decade and
> knew nothing about this! I'm concerned to use only free software and
> actively avoid proprietary software, so this is a bit of a shock.
> 
> Is there anywhere I can read more about this issue?

I have not checked all the software on MELPA, but due to Github
policies that free (of charge)repositories should have only free (as
in liberty)software licenses, I am assuming that probably none of
those software is non-free. But there can be MELPA software that is
vague because maybe maintainers have not put the proper license, which
is often the case.

The software provided by MELPA may lead users to non-free software or
may control non-free software or be made exclusively for usage of free
software.

Example that I have found is ChatWork package, it works with ChatWork
chat software, for which I only assume it is proprietary, I have not
checked it very good, it seemed to be so from verification of their
website.

Corporations can very easily sponsor somebody to provide software for
Emacs to provide features that control or interact with their
proprietary software.

It is also method of advertising.

Then there is software to access various websites, let us say software
that provides quotes from specific website, it could be funny quote or
smart one, but maybe the purpose is simply advertising. Finally,
fetching something from other website I consider dangerous, package
itself need not be, but other packages following, could be easily
dangerous.

More danger from MELPA comes from the fact that MELPA is not verifying
the packages, not that I know, I have read they said they are not
doing it.

There is plethora of insecurities on MELPA. It is far from harmless.

So far I understood, the packages arriving to GNU ELPA are assigned
with copyright to FSF, I am also assuming as user that such packages
are somehow reviewed by developers, not just one developer, and that
they are placed into ELPA as duplicate or copy from the upstream. I
may be wrong in all that assumption, but I think that GNU ELPA
packages are verified for freedom and mostly for security and safety
of users. We are speaking of loading true programming language code
and executing such on users' computers.

It is not equivalent to Javascript, it is far more dangerous than
Javascript which tend to execute in safe environment, which tends to
execute in such way as not to abuse users' computers and data, yet
people have found ways to crack browsers and to crack and enter into
users' file systems, there are many ways how Javascript can be
malicious.

The more packages there are that are not verified, but simple offered
for download through MELPA, the more and more insecurities are coming
in future.

MELPA is allowing Google to track users by using Google Analytics on
their website, that speaks already about the webmaster's lack of
skills in managing the website. There are so many free software
programs for web statistics, and there is no need for third party
tracking.

Now, the real insecurity comes from program that are sourced from
Github. If there are 4000+ packages, there can be 1000+ authors, maybe
even 2000+ authors.

Each of those authors represent insecurity to computing, as their
packages are not verified each time they are pulled, they are blindly
trusted.

The blind trust to MELPA packages is what is making it highly insecure
for computer users.

It requires just 1 author for their accounts to be cracked and for
malicious code to be inserted, thousands of computer users can be
affected that way.

Finally, author can go nut himself, and can become psychotic, there
are programmers who became so, they can introduce malicious code
themselves, or can do it by claiming it was somebody else.

Packages that I think do not belong in free software repository for
reason they are using proprietary information or wrapping proprietary
software, or use known spying networks:

babel - that uses non-free Babelfish translations (if I am mistaken
tell me)

chatwork - that uses non-free ChatWork proprietary chat software

bing-dict - that uses Microsoft Bing proprietary dictionary

calfw-gcal - to edit Google calendar

Obviously I came to letter C, I could browse more and find more
troublesome packages.

Yet major insecurity is number of packages where they are not verified
by human to be safe and blind offering and blind acceptance by users
thinking they are safe.

Jean