GNU bug report logs - #19479
Package manager vulnerable

Previous Next

Package: emacs;

Reported by: Kelly Dean <kelly <at> prtime.org>

Date: Thu, 1 Jan 2015 12:40:02 UTC

Severity: important

Tags: security

Full log

View this message in rfc822 format

From: Kelly Dean <kelly <at> prtime.org>
To: 19479 <at> debbugs.gnu.org
Subject: bug#19479: Package manager vulnerable
Date: Thu, 08 Jan 2015 11:40:25 +0000

BTW, Stefan mentioned (see bug #19536) that you don't use package-x for elpa.gnu.org, and instead use some other scripts, so it just occurred to me that you might not immediately notice that my patch not only verifies hashes, but also generates them, so there's nothing extra you need to do.

Just use package-upload-file from package-x.el, and it will automatically add the appropriate entry (including hash) for the package to the archive-contents file.

Apply the fix for bug #19536 if you want package-upload-file to correctly add tar files to the archive's package directory. (It already correctly adds single-file packages.)

GNU elpa, Melpa, and Marmalade can start using the new archive-contents now. Old clients will still work fine, and simply ignore the hashes. New clients will verify them.
This bug report was last modified 4 years and 202 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.