GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Package: emacs;

Reported by: Daniel Mendler <mail <at> daniel-mendler.de>

Date: Sat, 4 Feb 2023 18:20:02 UTC

Severity: wishlist

Tags: security

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Stefan Kangas <stefankangas <at> gmail.com>
Cc: mail <at> daniel-mendler.de, 61277 <at> debbugs.gnu.org, yantar92 <at> posteo.net, rms <at> gnu.org
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Date: Wed, 15 Feb 2023 11:40:20 -0500

> If an attacker can introduce a commit containing malicious code, and
> create a new git tag pointing to that commit, the GNU ELPA scripts will
> fetch it, and release a new version of the package (now including the
> malicious code).  By requiring tags to be cryptographically signed, we
> can have a greater confidence that any new tag has at the very least
> been signed off by the developer him/herself.

Technical nitpick: currently, the elpa.gnu.org scripts do not pay
attention to any Git tags (signed or not) to do their work.  We only use
the commits and their contents/history.


        Stefan

This bug report was last modified 1 year and 286 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #61277 FR: ELPA security - Restrict package builds to signed git commits

GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits