Re: Fwd: Should package.el support notifying on package security updates?

[Matt Armstrong]

Gulshan Singh <gsingh2011@gmail.com> writes:

> I recently reported a security issue for a package on MELPA, where
> even though I trusted the package author, if I used the package to
> process untrusted data that data code be crafted in a way to execute
> arbitrary code on my system. This led me to wonder if there was any
> mechanism for package.el to distinguish between regular updates and
> security updates, and I wasn't able to find any information on this.
>
> Has there been any past discussion on this? As an example, on Ubuntu you
> can see how many of the pending updates are security updates as opposed
> to regular updates, and you can configure the system to auto-update just
> the security updates. I feel like the package manager in emacs should
> have something similar, but maybe I'm missing something about why this
> functionality isn't included.

I am not an authority on Emacs packages, but as far as I am aware, there
is no mechanism in place to track security vulnerabilities in Emacs
packages or any way to urgently present available fixes to users
(e.g. by suggesting a partiular package upgrade is urgent).

One substantive discussion I found on package security issues in general
occurred on emacs-devel 9 years ago:

Subject: security of the emacs package system, elpa, melpa and marmalade
Date: Mon, 23 Sep 2013 09:30:35 +0200
https://lists.gnu.org/archive/html/emacs-devel/2013-09/threads.html

Shortly after that discussion it looks like package.el was changed to
verify package signatures (at least optionally, based on the
availability of a gpg installation, which went through refinement over a
period of years).