GNU bug report logs - #32544
[ELPA] core packages need generated files

Previous Next

Package: emacs;

Reported by: Michael Albinus <michael.albinus <at> gmx.de>

Date: Mon, 27 Aug 2018 15:15:02 UTC

Severity: wishlist

Done: Stefan Monnier <monnier <at> iro.umontreal.ca>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> IRO.UMontreal.CA>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 32544 <at> debbugs.gnu.org, Michael Albinus <michael.albinus <at> gmx.de>
Subject: bug#32544: [ELPA] core packages need generated files
Date: Mon, 27 Aug 2018 20:15:28 -0400

> Is the concern privilege escalation in build recipes in malicious elpa
> packages?

Yes.

> But couldn't the same package run the same bad code at package install
> time on the end user's machine, today and for as long as elpa.gnu.org
> has existed?

Yes.  Tho not only "at package install time", since that same bad code
can be run any time later when the package is activated or loaded...

> Ie, if we assume malicious code can get into elpa packages with no-one
> noticing, the whole system is already broken anyway?

Yup.

> But if you want to make the elpa system more secure one piece at a time,
> that's obviously no bad thing.

I think the reasons why I'm more worried about elpa.gnu.org than the
end-user's machines include:

- very little time between the moment we receive the commit-diffs by
  email and the moment the code is run.  So even if we notice the
  offending code on the spot, there's not much time to react.
- elpa.gnu.org is part of infrastructure that Emacs users trust when
  downloading GNU ELPA packages (e.g. it holds the PGP signing key), so
  a breach could affect all GNU ELPA users (especially if not
  noticed).


        Stefan
This bug report was last modified 4 years and 235 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.