emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Should package.el support notifying on package security updates


From: Tim Cross
Subject: Re: Fwd: Should package.el support notifying on package security updates?
Date: Sat, 13 Aug 2022 10:58:40 +1000
User-agent: mu4e 1.8.8; emacs 29.0.50

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>
> I'm not sure it would be a big problem.  But I'm not sure it would be an
> improvement either.  Especially because I suspect it might give the
> false impression that the code of ELisp packages is somewhat
> security-conscious, whereas in my experience, the vast majority of Emacs
> packages isn't (they may end up secure by accident, of course).
>
>

That is an extremely important point. Very few people even gives this a
thought when installing packages - especially packages from MELPA and
other external repositories. Having 'security' would imply for some that
there is a formal security process for reviewing, tracking and reporting
security issues. We don't have any of this and advertising some updates
as security fixes could well create a false sense of security. 



reply via email to

[Prev in Thread] Current Thread [Next in Thread]