[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: Should package.el support notifying on package security updates
From: |
Matt Armstrong |
Subject: |
Re: Fwd: Should package.el support notifying on package security updates? |
Date: |
Thu, 11 Aug 2022 17:04:09 -0700 |
Gulshan Singh <gsingh2011@gmail.com> writes:
> I recently reported a security issue for a package on MELPA, where
> even though I trusted the package author, if I used the package to
> process untrusted data that data code be crafted in a way to execute
> arbitrary code on my system. This led me to wonder if there was any
> mechanism for package.el to distinguish between regular updates and
> security updates, and I wasn't able to find any information on this.
>
> Has there been any past discussion on this? As an example, on Ubuntu you
> can see how many of the pending updates are security updates as opposed
> to regular updates, and you can configure the system to auto-update just
> the security updates. I feel like the package manager in emacs should
> have something similar, but maybe I'm missing something about why this
> functionality isn't included.
I am not an authority on Emacs packages, but as far as I am aware, there
is no mechanism in place to track security vulnerabilities in Emacs
packages or any way to urgently present available fixes to users
(e.g. by suggesting a partiular package upgrade is urgent).
One substantive discussion I found on package security issues in general
occurred on emacs-devel 9 years ago:
Subject: security of the emacs package system, elpa, melpa and marmalade
Date: Mon, 23 Sep 2013 09:30:35 +0200
https://lists.gnu.org/archive/html/emacs-devel/2013-09/threads.html
Shortly after that discussion it looks like package.el was changed to
verify package signatures (at least optionally, based on the
availability of a gpg installation, which went through refinement over a
period of years).
- Fwd: Should package.el support notifying on package security updates?, Gulshan Singh, 2022/08/07
- Re: Fwd: Should package.el support notifying on package security updates?,
Matt Armstrong <=
- Re: Fwd: Should package.el support notifying on package security updates?, Tim Cross, 2022/08/11
- Re: Fwd: Should package.el support notifying on package security updates?, Stefan Monnier, 2022/08/12
- Re: Fwd: Should package.el support notifying on package security updates?, Tim Cross, 2022/08/12
- Re: Fwd: Should package.el support notifying on package security updates?, tomas, 2022/08/13
- Re: Fwd: Should package.el support notifying on package security updates?, Stefan Monnier, 2022/08/13
Re: Fwd: Should package.el support notifying on package security updates?, Richard Stallman, 2022/08/13