GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Package: emacs;

Reported by: Daniel Mendler <mail <at> daniel-mendler.de>

Date: Sat, 4 Feb 2023 18:20:02 UTC

Severity: wishlist

Tags: security

View this message in rfc822 format

From: Stefan Kangas <stefankangas <at> gmail.com>
To: rms <at> gnu.org
Cc: mail <at> daniel-mendler.de, 61277 <at> debbugs.gnu.org, yantar92 <at> posteo.net, monnier <at> iro.umontreal.ca
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Date: Wed, 15 Feb 2023 05:37:36 -0800

Richard Stallman <rms <at> gnu.org> writes:

> You're discussing the "how" of a possible breach,
> but what I really need to know is the "what".
> What is being breached?  What is the context here?

The "what" is the git repository of a GNU ELPA or NonGNU ELPA package.

If an attacker can introduce a commit containing malicious code, and
create a new git tag pointing to that commit, the GNU ELPA scripts will
fetch it, and release a new version of the package (now including the
malicious code).  By requiring tags to be cryptographically signed, we
can have a greater confidence that any new tag has at the very least
been signed off by the developer him/herself.

This bug report was last modified 1 year and 286 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #61277 FR: ELPA security - Restrict package builds to signed git commits

GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits