[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: is melpa just unsigned?
From: |
Samuel Wales |
Subject: |
Re: is melpa just unsigned? |
Date: |
Mon, 22 May 2023 19:53:10 -0700 |
just brainstorming but if by chance melpa is not signed, i wonder if
there are package managers that kind of kludge security a bit. not
perfection, but try to dtrt. enhancing melpa or bypassing it.
for example, idk the current status of git's sha-1 [?] crypto
brokenness, but packages that use git could perhaps have their shas
compared via multiple routes, or so. maybe only google-level actors
could currently break sha-1 for all i know.
at least you could check that the sha you have is the same lots of
other users have?
are guix or nix debian-like in their signing infrastructure? i am
just thinking out loud here for possible solutions for more security.
comparing multiple routes, using git's history, or a clever trick i
am not thinking of now. does el-get do?
of course i am aware signing is only part of ensuring security,
and melpa does curating, and authors or computers could turn evil, but
where there is a chain that reliably goes back to an author from the
code you dled, it's a pretty good feeling.
On 5/21/23, Michael Heerdegen <michael_heerdegen@web.de> wrote:
> Emanuel Berg <incal@dataswamp.org> writes:
>
>> > If you get no answers here... since Melpa is not part of
>> > Emacs, maybe you have more luck if you ask the Melpa people?
>>
>> You mean they don't read here? :(
>
> I don't know. Some days ago I opened an Github issue with an request
> for an answer and improvement of the documentation of Melpa so that
> users can read about this. So far nobody responded. Maybe they are all
> on vacation or nobody wants to say something wrong, I don't know.
>
> Michael.
>
>
>
--
The Kafka Pandemic
A blog about science, health, human rights, and misopathy:
https://thekafkapandemic.blogspot.com
- is melpa just unsigned?, Samuel Wales, 2023/05/18
- Re: is melpa just unsigned?, Michael Heerdegen, 2023/05/18
- Re: is melpa just unsigned?, Emanuel Berg, 2023/05/21
- Re: is melpa just unsigned?, Michael Heerdegen, 2023/05/21
- Re: is melpa just unsigned?,
Samuel Wales <=
- Re: is melpa just unsigned?, Platon Pronko, 2023/05/22
- RE: [External] : Re: is melpa just unsigned?, Drew Adams, 2023/05/22
- Re: is melpa just unsigned?, Daniel Fleischer, 2023/05/23
- Re: is melpa just unsigned?, Samuel Wales, 2023/05/26
- Re: is melpa just unsigned?, Björn Bidar, 2023/05/29