GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Previous Next

Package: emacs;

Reported by: Daniel Mendler <mail <at> daniel-mendler.de>

Date: Sat, 4 Feb 2023 18:20:02 UTC

Severity: wishlist

Tags: security

Full log

Message #35 received at 61277 <at> debbugs.gnu.org (full text, mbox):

From: Daniel Mendler <mail <at> daniel-mendler.de>
To: Stefan Kangas <stefankangas <at> gmail.com>, rms <at> gnu.org
Cc: 61277 <at> debbugs.gnu.org, yantar92 <at> posteo.net, monnier <at> iro.umontreal.ca
Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed
 git commits
Date: Sun, 12 Feb 2023 11:32:36 +0100

On 2/12/23 07:37, Stefan Kangas wrote:
>> Breach of precisely what?  To think about this issue
>> requires an answer to that question.
> 
> The idea is that the likelihood of both an SSH and a PGP key getting
> stolen at the same time is lower than either one of them getting stolen
> separately.

There could also be a breach on the server where the git repository is
hosted. The repository could be manipulated directly on the server. It
is not that likely but if such incidents happen they have a huge
fallout. I also expect that more and more people move their
:auto-sync'ed git repositories to private servers or smaller forges,
which may not be as protected as the most popular ones.

Daniel
This bug report was last modified 1 year and 286 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.