help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sv: Install orgmode using its git repository.


From: Robert Thorpe
Subject: Re: Sv: Install orgmode using its git repository.
Date: Tue, 29 Dec 2020 21:39:22 +0000

For what it's worth, I agree with Arthur.

I'd point out that this sort of thing has happened before.  A Python
package called "Colourama" was found to be manipulating bitcoin
addresses.  When you put a bitcoin address into the clipboard it would
intercept it and replace it with a different one.  Notice the British
spelling, the legitimate package was called "Colorama".  The "Colourama"
package was a minor derivative with the bitcoin address trick added in.

Something similar happened to the NPM Javascript library.

We also have to remember that there's the possibility of people hacking
things like github.  Or obtaining the credentials of github users and
their signing keys.  The recent problems at the US DoD were caused by
Solarwinds software.  The hackers got into the Solarwinds source code
repository (due to very lax security, github & gitlab are probably
better).  Once in the repository they made a few changes to the
sourcecode to introduce a backdoor.

As a result, I'm fairly wary of this idea of automatic downloading.  On
the other hand, for many packages it's hardly practical to read the
whole sourcecode no matter how you obtain it.

BR,
Robert Thorpe

arthur miller <arthur.miller@live.com> writes:

> I won't say anything about nix; it probably is very good and flexible system. 
> I am also sure containers (docker, kubernetes etc) could be utilized to 
> sandbox Emacs and what not. But I don't think it should not be mandatory. 
> Emacs should run safe on bare metal.
>
> However it is all personal. People can do whatever they want with their 
> computers, and there are already solutions that integrate random github 
> repos: quelpa and straight. But it is still individuals own initiative to use 
> those. I don't Emacs should have that built in.
>
> In my opinion it opens for more security risks then needed, and also for 
> possibility to very easy distribute binary blobs not compatible with GPL. It 
> is not very difficult to get in those in Emacs now either, but at least it 
> takes individual's own actions and is not automated from Emacs out of the box.
>
>
> -------- Originalmeddelande --------
> Från: Leo Butler <leo.butler@umanitoba.ca>
> Datum: 2020-12-29 16:49 (GMT+01:00)
> Till: help-gnu-emacs <help-gnu-emacs@gnu.org>
> Ämne: Re: Sv: Install orgmode using its git repository.
>
> arthur miller <arthur.miller@live.com> writes:
>
>> Nöje of that you write is particularly adequate "addressing" of potential 
>> security vulnerability that let's potential malicious code 1) install 
>> anything on  your machine 2) steal your data 3) destroy your data.
>>
>> Maybe a virtual machine, but then you wouldn't be running your Emacs for 
>> anything  sensitive or serious.
>
> Actually, *nix systems have a very good way to handle these kinds of
> threats without resort to such devices: users and groups. One can create
> a user account with very limited privileges for working with unvetted
> code, data, etc.
>
> Actually, I do this for developing new code, too. That way, whatever I
> break/change is contained within the confines of that account.
>
>>
>> A reviewed package from elpa/helps gives at least some guarantee that you 
>> are not getting binary blobs and/or directly malicious code installed on 
>> your machine.
>
> Leo
>
>
>>
>>
>> -------- Originalmeddelande --------
>> Från: David Masterson <dsmasterson92630@outlook.com>
>> Datum: 2020-12-28 22:44 (GMT+01:00)
>> Till: arthur miller <arthur.miller@live.com>
>> Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier 
>> <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
>> Ämne: Re: Sv: Install orgmode using its git repository.
>>
>> arthur miller <arthur.miller@live.com> writes:
>>
>>> I don't think it is very safe practice to install random Joe's code
>>> directly from some git repo. We have not yet seen malicious code (not
>>> what I know) in Emacs community, but Emacs in that respect is as bad
>>> as MS Office from time when VBA scripts (and viruses) were shared
>>> wildly around, or a web browserwith JS that can do anything. Remember
>>> time when JS was off by default in all browsers?  Elisp can do
>>> whatever on your computer, so you should be careful what you
>>> install. Installing from random git repos can open you for more
>>> security problems then needed. I do clone lots from gitlab/github, but
>>> I always look at the code myself before I ever run it.
>>>
>>> Another point is that installing from git and different branches as it
>>> is possible with straight.el or quelpa (is what OP actually wants) can
>>> eventually lead to incompatibility between code that might be much
>>> harder to detect. I personally don't want to bother with latest-latest
>>> of all latest because eventually it could become a spagheti code of
>>> possible incompatibility and clashes.
>>
>> You can address these points in multiple ways:
>>
>> 1. A good backup and restore strategy
>> 2. Virtual machines (ie a chromebook)
>> 3. prioritize (m)elpa-stable over (m)elpa
>> 4. el-get can get particular version from git
>> ...
>>
>> --
>> David Masterson



reply via email to

[Prev in Thread] Current Thread [Next in Thread]