GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Package: emacs;

Reported by: Daniel Mendler <mail <at> daniel-mendler.de>

Date: Sat, 4 Feb 2023 18:20:02 UTC

Severity: wishlist

Tags: security

View this message in rfc822 format

From: Richard Stallman <rms <at> gnu.org>
To: Stefan Kangas <stefankangas <at> gmail.com>
Cc: mail <at> daniel-mendler.de, 61277 <at> debbugs.gnu.org, yantar92 <at> posteo.net, monnier <at> iro.umontreal.ca
Subject: bug#61277: FR: ELPA security - Restrict package builds to signed git commits
Date: Sat, 25 Feb 2023 21:59:45 -0500

Please forgive my delay in replying.

  > If an attacker can introduce a commit containing malicious code, and
  > create a new git tag pointing to that commit, the GNU ELPA scripts will
  > fetch it, and release a new version of the package (now including the
  > malicious code).  By requiring tags to be cryptographically signed, we
  > can have a greater confidence that any new tag has at the very least
  > been signed off by the developer him/herself.

This seems wise to me.  Does anyone have arguments against?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

This bug report was last modified 1 year and 285 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #61277 FR: ELPA security - Restrict package builds to signed git commits

GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits