Re: feature/package+vc 04c4c578c7 3/4: Allow for packages to be installed directly from VCS

[Philip Kaludercic]

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> If we don't have such a list, then adding the basic functionality sounds
>> useful anyway -- that is, allowing users to say `M-x
>> package-install-from-repo' or something and then they type in the URL of
>> that repo -- that's fine, and leaves the security implications to the
>> user (where they already are today for people that install from external
>> repos).
>
> Indeed there are 2 different steps:
> - installing from a particular "URL" (well, a URL plus some extra side
>   info, tho that side info can be empty in many cases).  AFAIK that's
>   what Philip's code currently offers.

Correct.

> - provide some way to let the user specify a package name and let
>   something else map that to a "URL".  This is the more risky step and
>   I don't think his code implements that yet.  Not sure how to address
>   the security issue at that step, other than by dumping the problem
>   onto the users: show them the URL and ask them if they're OK with it.

This is implemented, the "something else" is just the package metadata.
To me there seems to be no difference between trusting an archive that
a tarball is safe or that a repository it points to is safe.

> But as Philip points out, the (Non)GNU ELPA packages, while signed and
> all, just blindly pull from those same URLs to build the tarballs, so
> the difference is not as large as it seems.

If it would make any difference, it would also be possible to inhibit
the generation of autoloads.

>> But if we list these repos in `M-x list-packages', that's a very
>> different issue.
>
> It also depends on where the list comes from.
>
>
>         Stefan