Re: Fwd: Should package.el support notifying on package security updates?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > That makes sense. But I only brought up the MELPA example because I
  > recently encountered a security bug in a MELPA package. There's no reason
  > ELPA packages can't have similar security bugs (I just don't have an
  > example of this at the moment), and I figured it might be a good idea to
  > have some support for making it easier for users to quickly get security
  > updates for packages, regardless of what repository they're using.

We can do that for the repositories that we support, whose packages we
can fix or whose maintainers have some relationship with us.  We have
no relationship with MELPA -- if you use that, you're on your own.

We do copy some packages from MELPA into NonGNU ELPA.  It takes a
little discussion, making sure the package does and will satisfy some
basic criteria.  But if the package is popular, we're glad to do that.
You can ask us to move the packages you use, if they are popular.

Do we support the NonGNU ELPA packages well enough now
for security updates?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)