GNU bug report logs - #61277
FR: ELPA security - Restrict package builds to signed git commits

Previous Next

Package: emacs;

Reported by: Daniel Mendler <mail <at> daniel-mendler.de>

Date: Sat, 4 Feb 2023 18:20:02 UTC

Severity: wishlist

Tags: security

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Daniel Mendler <mail <at> daniel-mendler.de>
To: bug-gnu-emacs <at> gnu.org
Cc: yantar92 <at> posteo.net, stefan <at> marxist.se, monnier <at> iro.umontreal.ca
Subject: FR: ELPA security - Restrict package builds to signed git commits
Date: Sat, 04 Feb 2023 19:19:06 +0100

As discussed on emacs-devel it would be good if ELPA security could be
improved, preventing potential breaches on the side of the source
repository. This feature becomes more relevant the more packages are
:auto-sync'ed from their source repository.

My git commits are usually signed, so one could check the signature of
each commit which leads to a package build. This feature could be opt-in
for now, enabled via an attribute :signature in the elpa-packages
configuration. Maybe elpa-packages could store the fingerprint(s) of the
expected GPG key(s)?

In the case of a breach, both the SSH and GPG keys may be stolen, which
would allow an attacker to create commits on hosted repositories, such
that the mechanism would not help. However the source repository may
also get compromised via other vectors.

https://lists.gnu.org/archive/html/emacs-devel/2023-02/msg00120.html
This bug report was last modified 1 year and 286 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.