GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Previous Next

Full log

Message #41 received at 61277 <at> debbugs.gnu.org (full text, mbox):

From: Richard Stallman <rms <at> gnu.org>
To: Daniel Mendler <mail <at> daniel-mendler.de>
Cc: 61277 <at> debbugs.gnu.org, yantar92 <at> posteo.net, stefankangas <at> gmail.com,
 monnier <at> iro.umontreal.ca
Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed
 git commits
Date: Wed, 15 Feb 2023 00:17:21 -0500

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > There could also be a breach on the server where the git repository is
  > hosted. The repository could be manipulated directly on the server. It
  > is not that likely but if such incidents happen they have a huge
  > fallout. I also expect that more and more people move their
  > :auto-sync'ed git repositories to private servers or smaller forges,
  > which may not be as protected as the most popular ones.

Do we know of any security experts who appeciate the moral principles
of free software, who could help us come up with methods that properly
handle both?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.