[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: Should package.el support notifying on package security updates
From: |
Stefan Monnier |
Subject: |
Re: Fwd: Should package.el support notifying on package security updates? |
Date: |
Fri, 12 Aug 2022 17:40:55 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) |
> - There are actually very few security issues reported for Elisp
> packages. This doesn't mean there aren't any, only that they are
> discovered and reported very rarely.
Agreed.
And I suspect that security issues are much more common than are reported.
[ Lots of Emacs packages are written under the implicit assumption that the
current buffer contains something mildly-trustworthy. ]
> - It would require package maintainers to somehow flag that an update is
> a security update rather than just a standard update. As it is already
> somewhat challenging to get many package maintainers to include
> consistent change logs in their packages, I suspect then also asking
> them to distinguish security updates from normal updatges may be
> asking too much.
I'm not sure it would be a big problem. But I'm not sure it would be an
improvement either. Especially because I suspect it might give the
false impression that the code of ELisp packages is somewhat
security-conscious, whereas in my experience, the vast majority of Emacs
packages isn't (they may end up secure by accident, of course).
Stefan
Re: Fwd: Should package.el support notifying on package security updates?, Richard Stallman, 2022/08/13