Stefan Kangas <stefankangas@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 61277) by debbugs.gnu.org; 26 Feb 2023 03:00:02 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Feb 25 22:00:02 2023 Received: from localhost ([127.0.0.1]:42040 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pW7Gb-0002QK-Vr for submit <at> debbugs.gnu.org; Sat, 25 Feb 2023 22:00:02 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48358) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rms@HIDDEN>) id 1pW7GS-0002PK-Us for 61277 <at> debbugs.gnu.org; Sat, 25 Feb 2023 21:59:53 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pW7GM-0008MB-Bh; Sat, 25 Feb 2023 21:59:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=ul2ACyZlXEvNikot5yngKC+47UdwfFG5Fd57KRXurYQ=; b=PUD59ky5INVH iZK2iBLRJrlMyCcjpx0Xz/ZxXFJmsB1eTPGYKuMGqQdwyWKrQcPysrKk7GcyMqZzr2xzCpUnyW+x+ HnAT83tHNiRvTsrDVsJg3v5rq4yDyz7LsaRLUxMk+nIxo1UMB+IA9ADeCzV6x8+o4QaQo+IB0NaiZ eo8kzJPwleEHUGFoL+pf1kM9iTWUK9SmM31LEpu2H7blV/7WufbxV+2UxdSdMJvdF1f755gb9mrti 8MT1tuMVK+D1uQDPDPtZYOJnvavwr+RTjroto2yqbEOstxdz66ucVQ9OUmXum5UrJ2ArT+4TKhEdg rNhlnLa8Aho4SshmlLDnfw==; Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pW7GL-0007zb-WE; Sat, 25 Feb 2023 21:59:46 -0500 Content-Type: text/plain; charset=Utf-8 From: Richard Stallman <rms@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN> (message from Stefan Kangas on Wed, 15 Feb 2023 05:37:36 -0800) Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN> <E1pSAAM-0002rh-D8@HIDDEN> <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN> Message-Id: <E1pW7GL-0007zb-WE@HIDDEN> Date: Sat, 25 Feb 2023 21:59:45 -0500 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Reply-To: rms@HIDDEN Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Please forgive my delay in replying. > If an attacker can introduce a commit containing malicious code, and > create a new git tag pointing to that commit, the GNU ELPA scripts will > fetch it, and release a new version of the package (now including the > malicious code). By requiring tags to be cryptographically signed, we > can have a greater confidence that any new tag has at the very least > been signed off by the developer him/herself. This seems wise to me. Does anyone have arguments against? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.
Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 16:40:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 15 11:40:33 2023
Received: from localhost ([127.0.0.1]:33789 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1pSKpd-0001Nu-C8
for submit <at> debbugs.gnu.org; Wed, 15 Feb 2023 11:40:33 -0500
Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:16326)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <monnier@HIDDEN>) id 1pSKpY-0001Nd-PF
for 61277 <at> debbugs.gnu.org; Wed, 15 Feb 2023 11:40:31 -0500
Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 404B980793;
Wed, 15 Feb 2023 11:40:23 -0500 (EST)
Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id CE9718006F;
Wed, 15 Feb 2023 11:40:21 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
s=mail; t=1676479221;
bh=ykFgt8m7yws2mP6+HVrjRe18w9zqmkK9cmLaMUMgsmw=;
h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
b=FRF/Zvpe73y46olLKMJibyajitWcxbY4pO6QRxpQt4ueIGm7abh4bq6X3tskJiJyv
l12zYbXldTCMjoAGmy7pZOhueDrFCnfBbWwiQnpRKxVwaxNTZmGxVMD6TmSbVVim2e
toT4KJInQZUWdVRQ+7V6Z5hkr9v0lOoKVBeGbgL8DXHyoTwxwOm6dFgRKmiUHy33t/
29OZW9kr9qhy+cfw/RbUx2sEwdrwbKI4lEVR/ZgOFWdbWg3VBg1tgtsDm5m9ZeTIQk
fQfUZIt62U9trywD3mnymwilQTUHP5NcVXtnpmCoM/ETUenlzp9kC7IqfEZJNczujc
he7ilcrjcnS5w==
Received: from ceviche (unknown [45.44.229.252])
by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id AF9EE122528;
Wed, 15 Feb 2023 11:40:21 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>
Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to
signed git commits
In-Reply-To: <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN>
(Stefan Kangas's message of "Wed, 15 Feb 2023 05:37:36 -0800")
Message-ID: <jwvsff66fyw.fsf-monnier+emacs@HIDDEN>
References: <87pmapqoo5.fsf@HIDDEN>
<E1pPF5v-0007YZ-6K@HIDDEN>
<CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN>
<E1pSAAM-0002rh-D8@HIDDEN>
<CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN>
Date: Wed, 15 Feb 2023 11:40:20 -0500
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-SPAM-INFO: Spam detection results: 0
ALL_TRUSTED -1 Passed through trusted hosts only via SMTP
AWL 0.182 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature,
not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's
domain
X-SPAM-LEVEL:
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 61277
Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, yantar92@HIDDEN,
rms@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
> If an attacker can introduce a commit containing malicious code, and
> create a new git tag pointing to that commit, the GNU ELPA scripts will
> fetch it, and release a new version of the package (now including the
> malicious code). By requiring tags to be cryptographically signed, we
> can have a greater confidence that any new tag has at the very least
> been signed off by the developer him/herself.
Technical nitpick: currently, the elpa.gnu.org scripts do not pay
attention to any Git tags (signed or not) to do their work. We only use
the commits and their contents/history.
Stefan
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 13:37:47 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 15 08:37:47 2023 Received: from localhost ([127.0.0.1]:58238 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pSHyk-0000tP-PE for submit <at> debbugs.gnu.org; Wed, 15 Feb 2023 08:37:47 -0500 Received: from mail-oa1-f44.google.com ([209.85.160.44]:44696) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1pSHyh-0000tA-4F for 61277 <at> debbugs.gnu.org; Wed, 15 Feb 2023 08:37:45 -0500 Received: by mail-oa1-f44.google.com with SMTP id 586e51a60fabf-16aa71c1600so22866321fac.11 for <61277 <at> debbugs.gnu.org>; Wed, 15 Feb 2023 05:37:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=WzkSYQZ0qSGedS1LufqJXNIEoPS3lMKvTA76R1yyFXI=; b=ZZ1/jI+SjKv3S+w+e+GzRo2Pg7Ya2ECjttPL35abF/oVaBOFLT+ssuPC3H+YXo2hki q4Bt5w8BlzpYIbxyPEUwGpxP2XkKWY51HwkrQHcQli/YDCz6marU5mTSBesPfJy967y5 2OSdeHb18uVddtcElOoeNCDmutZ12OrZ/M+mkrkF1rrERw1qotNNh3UzYDNuQaTVgmbm NSixI/Tc7VxwHb9L/b5BKkDPn7zzW+LoRAeZV6AUN8TVmwAavCJBixdvG0/33HB8jpyU Fb/waLHqufT5TItPR1J1kmncqKuiEO6JTKW4COfq0kOKQr0kzXPq2JW6MIda5CXnd2TR VSuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WzkSYQZ0qSGedS1LufqJXNIEoPS3lMKvTA76R1yyFXI=; b=Vx4U4MbViQ1czjxEtVLhKiKeVVIi5adOnBZFpaXOUgK5pMzJYtFUmf3O9KMW8VK0/i IptSUB4yhPyDP5wbPvY0gx/Hos4WIlf527nTksbJm53qU9sD1F5lBRFUfWZZPsTTCG5S R4xtlR0cWpJZM6FemUs99OP6g0FPdRo9pUxtGOPV0Uf+j2WBhHOzSNVlAFuzJzh550YF D8HSF9cMMbzr3FyKeneF6acLiumtXr4z9NsJMxbSm9ZkSNMwbvf0Bq/swigcdYcYKEkk tQo10XJ/hQgt0k/zBo1n5dJFwG+D2PecBFwjdtjObgF82S4R/V1NETjBwNe+9Sm1cDJE UgpQ== X-Gm-Message-State: AO0yUKX69NZRadIYgc1i4qyyWP/bOB6GnQS4LWB4AQmegTnWPVNAMJgs BuiqZy85/+ZeItG8Td+Z04aXJ9R/GbjFu5G+C70= X-Google-Smtp-Source: AK7set83dXjktOprQzB9ieonKKQXsQ80c5E7K9tWJGX7RDcqfmQGkCG3cm2g2AzLiSBoEQFo2EHmldxeon/YVle7sUQ= X-Received: by 2002:a05:6870:d152:b0:16a:684e:4c25 with SMTP id f18-20020a056870d15200b0016a684e4c25mr276226oac.199.1676468257399; Wed, 15 Feb 2023 05:37:37 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Wed, 15 Feb 2023 05:37:36 -0800 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <E1pSAAM-0002rh-D8@HIDDEN> References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN> <E1pSAAM-0002rh-D8@HIDDEN> X-Hashcash: 1:20:230215:mail@HIDDEN::p2kQ5SRyHpYobTtz:61sO MIME-Version: 1.0 Date: Wed, 15 Feb 2023 05:37:36 -0800 Message-ID: <CADwFkmn1q23w1XT94vHXU5jsrnZeiHs0RV+O1b4GYySiDKNQwg@HIDDEN> Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits To: rms@HIDDEN Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 61277 Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Richard Stallman <rms@HIDDEN> writes: > You're discussing the "how" of a possible breach, > but what I really need to know is the "what". > What is being breached? What is the context here? The "what" is the git repository of a GNU ELPA or NonGNU ELPA package. If an attacker can introduce a commit containing malicious code, and create a new git tag pointing to that commit, the GNU ELPA scripts will fetch it, and release a new version of the package (now including the malicious code). By requiring tags to be cryptographically signed, we can have a greater confidence that any new tag has at the very least been signed off by the developer him/herself.
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 05:17:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 15 00:17:31 2023 Received: from localhost ([127.0.0.1]:57573 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pSAAc-0007AN-FT for submit <at> debbugs.gnu.org; Wed, 15 Feb 2023 00:17:31 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53570) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rms@HIDDEN>) id 1pSAAa-00079t-1e for 61277 <at> debbugs.gnu.org; Wed, 15 Feb 2023 00:17:28 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pSAAU-000155-I7; Wed, 15 Feb 2023 00:17:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=isE/kQ+GDgG4r04BFNww8y6Hie2X/OVhW3zgWLsH3Ak=; b=fp/U6CLinJCZ f3y5n9bSqpXjJ3WSmDyOW6LtrQaBiauPif9g9UNAIkfDeV1Fu2gkgKApsxuUN4+7OvJ+6orqEZQmq o8/xvNmERKgSK6yjWharMhgloQYLQlvO3BlBd73xw8u4/XFTJxmLvVdKSq38Ycy/cQUrYOLzNGCEu Y1zn5PrMCUV1hznCxu+kJvGu8UZl0hFyVliTfBwIvKLQp3D7ov/74w6sXFSybkabvmkR1gy4A3nOv qlRq492MCBBW1gb5c6I/KA2Y4Pu9yRytU9LW6CUEX4A7GE7AONCUc3X2LlJb1aWLHvg/T8nXg7AiY 43Zwo7JRUMG4jGfGJQ/0ew==; Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pSAAT-0002sj-AC; Wed, 15 Feb 2023 00:17:21 -0500 Content-Type: text/plain; charset=Utf-8 From: Richard Stallman <rms@HIDDEN> To: Daniel Mendler <mail@HIDDEN> In-Reply-To: <23c855a2-4330-6da8-6a05-72f26e4ebc5b@HIDDEN> (message from Daniel Mendler on Sun, 12 Feb 2023 11:32:36 +0100) Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN> <23c855a2-4330-6da8-6a05-72f26e4ebc5b@HIDDEN> Message-Id: <E1pSAAT-0002sj-AC@HIDDEN> Date: Wed, 15 Feb 2023 00:17:21 -0500 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, stefankangas@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Reply-To: rms@HIDDEN Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > There could also be a breach on the server where the git repository is > hosted. The repository could be manipulated directly on the server. It > is not that likely but if such incidents happen they have a huge > fallout. I also expect that more and more people move their > :auto-sync'ed git repositories to private servers or smaller forges, > which may not be as protected as the most popular ones. Do we know of any security experts who appeciate the moral principles of free software, who could help us come up with methods that properly handle both? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 15 Feb 2023 05:17:25 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 15 00:17:25 2023 Received: from localhost ([127.0.0.1]:57567 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pSAAX-0007A2-4E for submit <at> debbugs.gnu.org; Wed, 15 Feb 2023 00:17:25 -0500 Received: from eggs.gnu.org ([209.51.188.92]:40162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rms@HIDDEN>) id 1pSAAU-00079m-Kf for 61277 <at> debbugs.gnu.org; Wed, 15 Feb 2023 00:17:23 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pSAAM-000144-L3; Wed, 15 Feb 2023 00:17:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=3k+e+DICTLxSGEINru+xuINqd3cXOKffd8rU9Y07CuA=; b=mmRr+7GHQ/Eq rlMZ1faac7ethKq3VJxW/E3+v+Ncksp/kmoZsnko1PRG/7X3z7xHG3OQD4/wI+UN3jUI1iNFqItER J5DJFbG4C9OF3j7Bo8HO31tItlkx3AUXBu5XBR7yumefstJDbWilPf1t43up0o1KPA18S06nlruXe dmI8cCXsyeOxGdHa6/OY/uyqJL5HtZ3JHyQitHcidFdPx0h724bDbrkwkpFN0fnE5Db/h45uRqr2F AAwGpQ48XMLE743ZH3JSmSO+nf6vBKDpRlUTpdUf+RPJmR1oAgg3A35eK2jBpiSVbzSzka5+SKWc3 nDUEWsvhP1ZXZbrUFizh6A==; Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pSAAM-0002rh-D8; Wed, 15 Feb 2023 00:17:14 -0500 Content-Type: text/plain; charset=Utf-8 From: Richard Stallman <rms@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN> (message from Stefan Kangas on Sun, 12 Feb 2023 06:37:01 +0000) Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN> Message-Id: <E1pSAAM-0002rh-D8@HIDDEN> Date: Wed, 15 Feb 2023 00:17:14 -0500 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Reply-To: rms@HIDDEN Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > In the case of a breach, > > > > Breach of precisely what? To think about this issue > > requires an answer to that question. > The idea is that the likelihood of both an SSH and a PGP key getting > stolen at the same time is lower than either one of them getting stolen > separately. That seems plausible to me, but we are miscommunicating. You're discussing the "how" of a possible breach, but what I really need to know is the "what". What is being breached? What is the context here? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 12 Feb 2023 10:32:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 12 05:32:49 2023 Received: from localhost ([127.0.0.1]:44122 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pR9f7-0004oV-Lv for submit <at> debbugs.gnu.org; Sun, 12 Feb 2023 05:32:49 -0500 Received: from server.qxqx.de ([178.63.65.180]:59899 helo=mail.qxqx.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <mail@HIDDEN>) id 1pR9f3-0004oG-HK for 61277 <at> debbugs.gnu.org; Sun, 12 Feb 2023 05:32:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=qxqx.de; s=mail1392553390; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=E7P3SviMwILiwXMUBUEVMX5tL/eNd6n6CxuL4/WEjnk=; b=P+eX0Jt+ynPGZMyv1/5bTYAq43 woHSalFdH8E/byke9zMfltzIkjEji2kMzpFkpNwBar7SbBSwe/T8czC22RALuVV3hp61swEAMQ1Pt y5pCF3CXDS+1SuiKU2VUUaEsiom96RccXVanwR4IgS/CoznsTckzqf46IX9iEdVoE5u4=; Message-ID: <23c855a2-4330-6da8-6a05-72f26e4ebc5b@HIDDEN> Date: Sun, 12 Feb 2023 11:32:36 +0100 MIME-Version: 1.0 Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits Content-Language: en-US To: Stefan Kangas <stefankangas@HIDDEN>, rms@HIDDEN References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN> From: Daniel Mendler <mail@HIDDEN> In-Reply-To: <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) On 2/12/23 07:37, Stefan Kangas wrote: >> Breach of precisely what? To think about this issue >> requires an answer to that question. > > The idea is that the likelihood of both an SSH and a PGP key getting > stolen at the same time is lower than either one of them getting stolen > separately. There could also be a breach on the server where the git repository is hosted. The repository could be manipulated directly on the server. It is not that likely but if such incidents happen they have a huge fallout. I also expect that more and more people move their :auto-sync'ed git repositories to private servers or smaller forges, which may not be as protected as the most popular ones. Daniel
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 12 Feb 2023 06:37:12 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 12 01:37:12 2023 Received: from localhost ([127.0.0.1]:43905 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pR5z5-0004XQ-OA for submit <at> debbugs.gnu.org; Sun, 12 Feb 2023 01:37:11 -0500 Received: from mail-oa1-f53.google.com ([209.85.160.53]:37653) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1pR5z1-0004XB-Vp for 61277 <at> debbugs.gnu.org; Sun, 12 Feb 2023 01:37:09 -0500 Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-16ab8581837so11710004fac.4 for <61277 <at> debbugs.gnu.org>; Sat, 11 Feb 2023 22:37:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=W5kBkWt3m5CzqjBkUERdkeBOoD1OWsJUN6xQ9k3CypQ=; b=YapdC1XZn7jbDqMrH+u3qraj0i7Cs2bvCqvQHNEfF/zwCAZ1E+eSOpHrPgfnz1mtpi QJtt4UBTh4rEBibn+MS8EVVLvqAOh8QqGDlKVxxVnPuR1K5lSvxcuVrvEY9SsfF3xGJU YTcrzkaaFG2n1fHouACQPdEWreWb+cok0sXGQcnMmc2qgrhDNGiLo04eSILPQXpd5FMa dWjLYDw5spC9C/UwxL3+Zeh0aMLLiBLl+5JOIySKvaDzKqYSUeufvWhMMjkICDYyV+x0 qBRrzE9Sr6fnd3TUKdAarLFWuqcME/ETOVmszZYA9VcmWE3CNjyhIoDY1OOmbY1jt0Gu eDrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=W5kBkWt3m5CzqjBkUERdkeBOoD1OWsJUN6xQ9k3CypQ=; b=JypLRvPcjxkRuMWF2O9/ZXkpizOSV5DodM0yztfYKrZDwxcqJqPGBCk+HnA0Yf1Nwn EeSnRLwVU5aLOVFRW/EebdJjXjSEt/zTBWOMsTpxc56ulx6cj7Q4cy7b8xWOMsvyu+vT lGuW0DwV0AHVHzE9ZuTC7EQVMasnrFSugOt6HnEHV+z/b+s2VJgGzqns9bxnENa8HFWM ac+8tStYHI+E44R3MGJsPtk0oG7QKgZufWMihT6Jfvtig0mpeBjZ9BChyH18PmvbfWyl ArzSQQvfDmaVKH0EJqDdoXZBtSXlKClOwgjZkIvIBMvlEb7sL/V0bIuiF8DOoN0+J0Lj ffjg== X-Gm-Message-State: AO0yUKWCNwIGeUYpt8ZfOQalJwmwO4QlNlj7cyX54Y0ELtYStREsbYCa Gz72F0eoxryhFduDiAxzVbedE/8aXfDzlg1HwRw= X-Google-Smtp-Source: AK7set+/ASMw5nZlHOOYhHWerSYWu1OnFg0psoxBSiZurtUVhgliAera6R4jmnkON0d9AyDI7s2V2rAWRm1jsO+L+pM= X-Received: by 2002:a05:6870:15d0:b0:16a:684e:4c25 with SMTP id k16-20020a05687015d000b0016a684e4c25mr2071853oad.199.1676183822461; Sat, 11 Feb 2023 22:37:02 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sun, 12 Feb 2023 06:37:01 +0000 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <E1pPF5v-0007YZ-6K@HIDDEN> References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> X-Hashcash: 1:20:230212:mail@HIDDEN::M7VqzmnTYD9a05eL:1chZ MIME-Version: 1.0 Date: Sun, 12 Feb 2023 06:37:01 +0000 Message-ID: <CADwFkmkZNDSjmGJDHB4Xp78s8=mM32+uF0nF=gjrTEf6RRa_6A@HIDDEN> Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits To: rms@HIDDEN, Daniel Mendler <mail@HIDDEN> Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 61277 Cc: 61277 <at> debbugs.gnu.org, yantar92@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Richard Stallman <rms@HIDDEN> writes: > > In the case of a breach, > > Breach of precisely what? To think about this issue > requires an answer to that question. The idea is that the likelihood of both an SSH and a PGP key getting stolen at the same time is lower than either one of them getting stolen separately. > > both the SSH and GPG keys may be stolen, which > > would allow an attacker to create commits on hosted repositories, such > > that the mechanism would not help. > > Is this a problem that has a solution? Yes, for example you could you could put your PGP key (usually a subkey) on a smartcard, and have no copy on the local filesystem. PGP keys usually also have an additional password, in addition to the one that developers normally (we hope) use for their SSH key.
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 12 Feb 2023 04:05:00 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Feb 11 23:05:00 2023 Received: from localhost ([127.0.0.1]:43732 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pR3bn-0000GS-RK for submit <at> debbugs.gnu.org; Sat, 11 Feb 2023 23:05:00 -0500 Received: from eggs.gnu.org ([209.51.188.92]:34330) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rms@HIDDEN>) id 1pR3bl-0000GF-Ap for 61277 <at> debbugs.gnu.org; Sat, 11 Feb 2023 23:04:57 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pR3bd-0001WU-TQ; Sat, 11 Feb 2023 23:04:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=r+Y5dagIfHiPKE4kVDFZTOqpiKtD3f7qXPu4IyaPdck=; b=p0S6UbReq2wy LhIPBzTGPzYV/TBqtFflExcEy5LrlyupksAhf8PnZtOXKDANUWwtORoOcuvkJSJuFe9Q3ECBfOMPo UbbVAOdNDDtV+dbHI/XNHjHpm65pAzJMkUBTxrSqqXTYndhiXsCqvhZtYC7rfwvwz5Qd2Q1Z47R9i 3leLjIVKjDXVPryjttCWgX2TFfBQ3ItHPcFIPrazZRV1uc1xrZWaeeauVszPswA3gUrIc9bk84asx do6ih/S85bZidAAf04kgTDr58qWZS1Jy+lP1HOjVIlIpQT6aMiMIbsqdnNhFyyW9OfUrGTEkdniQz +3r+zoKVGWM78mjPA6uhGw==; Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pR3bK-0006gy-LL; Sat, 11 Feb 2023 23:04:32 -0500 Content-Type: text/plain; charset=Utf-8 From: Richard Stallman <rms@HIDDEN> To: Ihor Radchenko <yantar92@HIDDEN> In-Reply-To: <87pmajavp7.fsf@localhost> (message from Ihor Radchenko on Thu, 09 Feb 2023 12:07:32 +0000) Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <87sffh8zts.fsf@localhost> <E1pPyXd-0004dk-EX@HIDDEN> <87pmajavp7.fsf@localhost> Message-Id: <E1pR3bK-0006gy-LL@HIDDEN> Date: Sat, 11 Feb 2023 23:04:30 -0500 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Reply-To: rms@HIDDEN Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > I looked at that URL but I can't understand what it says. I see > > several ways to parse "This was explicitly requested to be made into a > > bug ticket on emacs-devel" so I don't know what it means. Can you > > state your point more explicitly and not tersely? > I meant that Daniel submitted this bug ticket after Stefan's message > stating that > >>> I think we should add some flag to the build system saying that a > >>> package should only be released if the new tag has a valid signature... > >>> > >>> IMO, opening a feature request for this in the bug tracker would be > >>> useful. A patch would be even better. Now I think I understand. Thanks, Daniel. That was a useful thing to do. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 9 Feb 2023 12:07:09 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 09 07:07:09 2023 Received: from localhost ([127.0.0.1]:57760 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pQ5hl-0005oO-8m for submit <at> debbugs.gnu.org; Thu, 09 Feb 2023 07:07:09 -0500 Received: from mout02.posteo.de ([185.67.36.66]:42055) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <yantar92@HIDDEN>) id 1pQ5hj-0005nx-7f for 61277 <at> debbugs.gnu.org; Thu, 09 Feb 2023 07:07:07 -0500 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id EE97B24050E for <61277 <at> debbugs.gnu.org>; Thu, 9 Feb 2023 13:07:00 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1675944421; bh=620RtGqWMhOWTv5exRRuME+EvFen/Kr+0tmt0Ba3f+0=; h=From:To:Cc:Subject:Date:From; b=TAfGzSNBj6gnYkAb1iKC2/WXFOmlb+t6kJPxMJblKc2IQImpQfV0zREJW2qyHK5+f H5p3aT5aHQq7LIaRH59QEvK4a6su/vV06de+to1OyD9PuIs3QajNKwusF2kcYSIB3t DL0bkNg2Xvot+fYDPWtRLJEVNEyrIOF74MBxyC7vK/BLOBLP/hhEpR9ayRAcdbAGps yCrqD1SX7qIOmpTMj033F6isInNqoY2rDz+ToXR2pFVmLBb9FOvfxpxmIfHr7Hfohg eVqnL47fjccKs200GX1vdchxZNcN44LW7nTQOfjO9o1/td9gyaR6dO6gxGgsPEdlBY EWsN0jQu75kIQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4PCFwL5WT4z9rxB; Thu, 9 Feb 2023 13:06:56 +0100 (CET) From: Ihor Radchenko <yantar92@HIDDEN> To: rms@HIDDEN Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits In-Reply-To: <E1pPyXd-0004dk-EX@HIDDEN> References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <87sffh8zts.fsf@localhost> <E1pPyXd-0004dk-EX@HIDDEN> Date: Thu, 09 Feb 2023 12:07:32 +0000 Message-ID: <87pmajavp7.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Richard Stallman <rms@HIDDEN> writes: > > This was explicitly requested to be made into a bug ticket on > > emacs-devel. See > > https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@HIDDEN > > I looked at that URL but I can't understand what it says. I see > several ways to parse "This was explicitly requested to be made into a > bug ticket on emacs-devel" so I don't know what it means. Can you > state your point more explicitly and not tersely? I meant that Daniel submitted this bug ticket after Stefan's message stating that >>> I think we should add some flag to the build system saying that a >>> package should only be released if the new tag has a valid signature... >>> >>> IMO, opening a feature request for this in the bug tracker would be >>> useful. A patch would be even better. The emacs-devel discussion that includes the topic of this FR has been started earlier in the thread I linked to. So, there is no need to move this FR to emacs-devel - it is already being discussed there. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 9 Feb 2023 04:28:28 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 08 23:28:28 2023 Received: from localhost ([127.0.0.1]:57183 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pPyXr-0001WE-M4 for submit <at> debbugs.gnu.org; Wed, 08 Feb 2023 23:28:28 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46144) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rms@HIDDEN>) id 1pPyXk-0001VS-AT for 61277 <at> debbugs.gnu.org; Wed, 08 Feb 2023 23:28:22 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pPyXd-0005jj-Pg; Wed, 08 Feb 2023 23:28:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=gL7wtouGRjkltWxB6GD+jU0h3NPb5UBCGWr9yyxeHuw=; b=ngs7dHSDyt8n BOEGo+CXWzUMk0LDPx0jm8lR1sbuJ31qo3eTArmAvdXxQH8HTaHsCNkCfvxD0u+7atoM+AMVjSB4w imMah5yKokLR2myCBwRRls3HVC2sQepP+dvIY1cw77lNuvAFOlANNDy9GBaZQvW9XSuzx43ZEEsid +cr+t18N12frsISbH9PxE31CTMNTup3oXaJu7ICgYcIPnszt6aEM3q7faL5fCpu+XSHmrnZlWRvER nK9grn47mFqUA8PFvQmZhCBICm+ONZ94LodlPLgJTdV/BdJdWd7ujP0QAu4UiZrA39btdfDxtlVrO nBlYQ0LnYJDFad3c16H0Pw==; Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1pPyXd-0004dk-EX; Wed, 08 Feb 2023 23:28:13 -0500 Content-Type: text/plain; charset=Utf-8 From: Richard Stallman <rms@HIDDEN> To: Ihor Radchenko <yantar92@HIDDEN> In-Reply-To: <87sffh8zts.fsf@localhost> (message from Ihor Radchenko on Tue, 07 Feb 2023 11:44:31 +0000) Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <87sffh8zts.fsf@localhost> Message-Id: <E1pPyXd-0004dk-EX@HIDDEN> Date: Wed, 08 Feb 2023 23:28:13 -0500 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Reply-To: rms@HIDDEN Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] I wrote: > > Should we move this to emacs-devel? A specific bug ticket > > is not the right place for such an important topic. You replied: > This was explicitly requested to be made into a bug ticket on > emacs-devel. See > https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@HIDDEN I looked at that URL but I can't understand what it says. I see several ways to parse "This was explicitly requested to be made into a bug ticket on emacs-devel" so I don't know what it means. Can you state your point more explicitly and not tersely? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 12:40:25 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 07 07:40:25 2023 Received: from localhost ([127.0.0.1]:51449 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pPNGq-0006WQ-Tf for submit <at> debbugs.gnu.org; Tue, 07 Feb 2023 07:40:25 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52604) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1pPNGo-0006WA-ML for 61277 <at> debbugs.gnu.org; Tue, 07 Feb 2023 07:40:23 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1pPNGi-0002f9-8l; Tue, 07 Feb 2023 07:40:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=e23lJ5U+nT0q5OXY1H2LrXadKR0XRg/ygiSJPmDg3QA=; b=o5c+5wn6V9aG PC7x5w5glZ9kdqDqq//s5OcTQJA1IMBYBwo9CIcTxS13hiRSfYoqwuBlnQo3Qcr1oqcf7XcmN/2Nl /Y7FjynB9rzoTLyUaxUP+4FtYMLbBjsmN4Qu7dxIsolOK3ds1/rlkk7oLyHKUuMKnN4bvw5uWuP/s PocsSowm4MlDwfFIcI8MuRakpS57Cjwi3ywlS/U51J3jnan+cb1D2+Fxz1cc8gZcRgBGZVZrt8CU/ 8GhKAFbBrq1c6UQr2CLFYIJApYJ+pqbiHhOZBavaaww3bn4CF+7G3g1vI1pkivjpsRG95An3GaEZs BBWJZnddmbi3kwH/o5c5jg==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1pPNGX-0007BK-4L; Tue, 07 Feb 2023 07:40:06 -0500 Date: Tue, 07 Feb 2023 14:40:19 +0200 Message-Id: <83bkm5ps24.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Ihor Radchenko <yantar92@HIDDEN> In-Reply-To: <87sffh8zts.fsf@localhost> (message from Ihor Radchenko on Tue, 07 Feb 2023 11:44:31 +0000) Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> <87sffh8zts.fsf@localhost> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, rms@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Cc: Daniel Mendler <mail@HIDDEN>, 61277 <at> debbugs.gnu.org, > stefan@HIDDEN, monnier@HIDDEN > From: Ihor Radchenko <yantar92@HIDDEN> > Date: Tue, 07 Feb 2023 11:44:31 +0000 > > Richard Stallman <rms@HIDDEN> writes: > > > Should we move this to emacs-devel? A specific bug ticket > > is not the right place for such an important topic. > > This was explicitly requested to be made into a bug ticket on > emacs-devel. See > https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@HIDDEN The bug report is OK, but we want to discuss more general issues, I think.
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 12:10:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 07 07:10:50 2023 Received: from localhost ([127.0.0.1]:51406 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pPMoD-0003Re-Mk for submit <at> debbugs.gnu.org; Tue, 07 Feb 2023 07:10:49 -0500 Received: from eggs.gnu.org ([209.51.188.92]:47842) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1pPMoB-0003RO-IS for 61277 <at> debbugs.gnu.org; Tue, 07 Feb 2023 07:10:48 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1pPMo3-0004Q3-DS; Tue, 07 Feb 2023 07:10:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=sbVuMovQAl+9VYeNOQSjjoOoOHYOVSRAlspSGiwpHyU=; b=NZbWGp9VyiYX sFGibT1qCgB9g4yV/0dVWtF/Og4jpxM6QW/CvyYDcKI2A3B6evCWOhSQea3mv9eEV0nIzq/iLFc/S +fq/VN15WKbsLl4aDJTUxAKKmJ5q0JHnHJA9L7OwSmHvt3kHKepFyNyuguOVyIIEBm4cbBtGkFVo7 kUlUxpePnvtsJ80Y0u5gr68swC4sc3U21lZ6ZE/ZyZYY9KumeGLEswO4yu/2yNBjSty3hX+abhhKu C6ovU8VQUqNlsdcnfWMsU8tzeCOu/L2teZsEm5DhuV04d2BT9MuqiRnIGrvxcOIAmwC/9H3T0e0MT HMY/AO7y4Kck6zB73ktQjQ==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1pPMnu-0006jF-8l; Tue, 07 Feb 2023 07:10:31 -0500 Date: Tue, 07 Feb 2023 14:10:42 +0200 Message-Id: <83h6vxptfh.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: rms@HIDDEN In-Reply-To: <E1pPF5v-0007YZ-6K@HIDDEN> (message from Richard Stallman on Mon, 06 Feb 2023 22:56:35 -0500) Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: mail@HIDDEN, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, yantar92@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Cc: 61277 <at> debbugs.gnu.org, stefan@HIDDEN, yantar92@HIDDEN, > monnier@HIDDEN > From: Richard Stallman <rms@HIDDEN> > Date: Mon, 06 Feb 2023 22:56:35 -0500 > > > My git commits are usually signed, so one could check the signature of > > each commit which leads to a package build. This feature could be opt-in > > for now, enabled via an attribute :signature in the elpa-packages > > configuration. Maybe elpa-packages could store the fingerprint(s) of the > > expected GPG key(s)? > > What do other maintainers think of this? I don't have an opinion. Frankly, I don't really understand what would signing commits give in this regard, given that people who install a package normally install a tarball, they don't clone the Git repository. I also don't think the goals were stated clearly, so it's hard to reason about this. But then I'm nowhere near being an expert on this stuff, so I could easily miss something important. > Should we move this to emacs-devel? A specific bug ticket > is not the right place for such an important topic. Agreed.
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 11:44:03 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 07 06:44:03 2023 Received: from localhost ([127.0.0.1]:51337 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pPMOJ-0002iO-0d for submit <at> debbugs.gnu.org; Tue, 07 Feb 2023 06:44:03 -0500 Received: from mout02.posteo.de ([185.67.36.66]:32827) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <yantar92@HIDDEN>) id 1pPMOG-0002hd-Vr for 61277 <at> debbugs.gnu.org; Tue, 07 Feb 2023 06:44:01 -0500 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 732B32406A6 for <61277 <at> debbugs.gnu.org>; Tue, 7 Feb 2023 12:43:55 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1675770235; bh=pEgQuoitEfX6hRjqpsPJ0ZBQ12uMNsL10jh5CEnLtmU=; h=From:To:Cc:Subject:Date:From; b=mZ1LXuur8BGiHe/B3gcmN7CmuYBWXRVUwJ3lRRTlR/TR9NxKaVtYoFh3r+0Iudx3k eJEHzc//iuj58GpA+b7SKTtdaGMm3PozgI/ZWkdnUzsnlV37jHVqdEwaf3lByJ8Pk0 Bf385+zB/apXNrmnO+w3DBJPd/4v5oii8O024wsOgSR102KsrXs/UK5Xxyz4X2plqU f6KXK8GWHYaUF6FY7k2ajKcoafZSgOD8B25qw9WJByGO8CzRz6FUaZ566koL+9llq+ baOVJf37060tDETmgTvDCVuELA06/GrYf4FPg/e3zVog+gw/w9STQumqpODEcdCaZ4 fHQpRZMZ0bCAQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4PB1Vd6Htjz6tlh; Tue, 7 Feb 2023 12:43:53 +0100 (CET) From: Ihor Radchenko <yantar92@HIDDEN> To: rms@HIDDEN Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed git commits In-Reply-To: <E1pPF5v-0007YZ-6K@HIDDEN> References: <87pmapqoo5.fsf@HIDDEN> <E1pPF5v-0007YZ-6K@HIDDEN> Date: Tue, 07 Feb 2023 11:44:31 +0000 Message-ID: <87sffh8zts.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61277 Cc: Daniel Mendler <mail@HIDDEN>, 61277 <at> debbugs.gnu.org, stefan@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Richard Stallman <rms@HIDDEN> writes: > Should we move this to emacs-devel? A specific bug ticket > is not the right place for such an important topic. This was explicitly requested to be made into a bug ticket on emacs-devel. See https://yhetil.org/emacs-devel/CADwFkmkx3J=LvWT1upGMBaC3MRuyuxmAOB4ghRpYu-BCuX3sSg@HIDDEN -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.
Received: (at 61277) by debbugs.gnu.org; 7 Feb 2023 03:56:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 06 22:56:44 2023
Received: from localhost ([127.0.0.1]:50606 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1pPF64-0007wB-1H
for submit <at> debbugs.gnu.org; Mon, 06 Feb 2023 22:56:44 -0500
Received: from eggs.gnu.org ([209.51.188.92]:39556)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <rms@HIDDEN>) id 1pPF61-0007vy-VJ
for 61277 <at> debbugs.gnu.org; Mon, 06 Feb 2023 22:56:42 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <rms@HIDDEN>)
id 1pPF5v-0001Dg-JK; Mon, 06 Feb 2023 22:56:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
mime-version; bh=JAgKqSZFePsxZy6sKLQAzeH0HYamokRH2b1Ir2nsLh8=; b=QE3T208K1Qp1
kvXJE4VAK9nrKz2/QVF/epFw2pZ9oa/gdixEcRLEHNBRYlpCsQLz751PH7HmOlakiKqLVTPYKxEjf
zxck5kHC/xUDpmLkplT2himfbjSLG/cUIzMbTsJtSrZAfh210sJtbrbXlCpOu2095HJ7xgOVKDhLO
cWC+0ztaJ/QIW3BKt4S401oSatQ1eYxpRrvuPOCv1OcCl5YYWRgVLR4/s3RI+HhTTgAj1efW0yNtj
VK26q3oJxgcrPVGOnLJQ9IO4mjbz3LFNF/jhqwwOjwGMwiG0iO/juD4FvZlCXbXd1b3KjppC+vdf5
JJS80l0l9Bt3DWU3b/rJIA==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
(envelope-from <rms@HIDDEN>)
id 1pPF5v-0007YZ-6K; Mon, 06 Feb 2023 22:56:35 -0500
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
To: Daniel Mendler <mail@HIDDEN>
In-Reply-To: <87pmapqoo5.fsf@HIDDEN> (message from Daniel Mendler
on Sat, 04 Feb 2023 19:19:06 +0100)
Subject: Re: bug#61277: FR: ELPA security - Restrict package builds to signed
git commits
References: <87pmapqoo5.fsf@HIDDEN>
Message-Id: <E1pPF5v-0007YZ-6K@HIDDEN>
Date: Mon, 06 Feb 2023 22:56:35 -0500
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 61277
Cc: 61277 <at> debbugs.gnu.org, stefan@HIDDEN, yantar92@HIDDEN,
monnier@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: rms@HIDDEN
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> As discussed on emacs-devel it would be good if ELPA security could be
> improved, preventing potential breaches on the side of the source
> repository. This feature becomes more relevant the more packages are
> :auto-sync'ed from their source repository.
I agree that we need to clean up the social system for maintaining GNU ELPA
packages. It should be as clear and documented as that for Emacs core.
> My git commits are usually signed, so one could check the signature of
> each commit which leads to a package build. This feature could be opt-in
> for now, enabled via an attribute :signature in the elpa-packages
> configuration. Maybe elpa-packages could store the fingerprint(s) of the
> expected GPG key(s)?
What do other maintainers think of this?
It addresses one ways of handlng GNU ELPA packagesm, but not all GNU
ELPA packages are handled in this way. What other categories of
packages do we need to consider?
> In the case of a breach,
Breach of precisely what? To think about this issue
requires an answer to that question.
both the SSH and GPG keys may be stolen, which
> would allow an attacker to create commits on hosted repositories, such
> that the mechanism would not help. However the source repository may
> also get compromised via other vectors.
Is this a problem that has a solution?
Should we move this to emacs-devel? A specific bug ticket
is not the right place for such an important topic.
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at submit) by debbugs.gnu.org; 5 Feb 2023 11:19:34 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 05 06:19:34 2023 Received: from localhost ([127.0.0.1]:44165 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pOd3V-0005es-N7 for submit <at> debbugs.gnu.org; Sun, 05 Feb 2023 06:19:34 -0500 Received: from lists.gnu.org ([209.51.188.17]:36694) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <yantar92@HIDDEN>) id 1pOd3T-0005ej-3q for submit <at> debbugs.gnu.org; Sun, 05 Feb 2023 06:19:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <yantar92@HIDDEN>) id 1pOd3S-0004Wr-5p for bug-gnu-emacs@HIDDEN; Sun, 05 Feb 2023 06:19:30 -0500 Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <yantar92@HIDDEN>) id 1pOd3P-0000hS-OQ for bug-gnu-emacs@HIDDEN; Sun, 05 Feb 2023 06:19:29 -0500 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 8ADEE240127 for <bug-gnu-emacs@HIDDEN>; Sun, 5 Feb 2023 12:19:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1675595963; bh=pa20DwQYKne+GYC6G9+HoVdYRr/GmAdGwGEue3RDe8g=; h=From:To:Cc:Subject:Date:From; b=lYgi8ecWoZg3no+uHSY2QCi/FUDxvOe7u8F+7Eppl372SpBfAuR40Kd3/3TyisNPd /c/CVuJYVNbVgrWjy8jlFE1YBR5pwdFr8nDDlZrno5TMWnCa1JBS0tyxDMMK8G8sjD dCVQw3muZyjFJNVYy2umeFlFe/+JQXDMLCyZ3wJ8VxPYWNBOG6wdZ/0sT6XP9w5huK cFwUX4To9G6rWFRVZHDURcbVmVrWZCi3IkkOZw1uVF7zio3Yqs/Y8ty/chlhkx0iYu 4tKU8JAfPuyIm1DqwWIW5560cPY1QPkZtp0w1FuVeIFK5w7dlm0JFy/tVJ33oVj2Hd jdJ3v3s5ls2Fw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4P8n3D0RRJz6tmB; Sun, 5 Feb 2023 12:19:19 +0100 (CET) From: Ihor Radchenko <yantar92@HIDDEN> To: Daniel Mendler <mail@HIDDEN> Subject: Re: FR: ELPA security - Restrict package builds to signed git commits In-Reply-To: <87pmapqoo5.fsf@HIDDEN> References: <87pmapqoo5.fsf@HIDDEN> Date: Sun, 05 Feb 2023 11:19:59 +0000 Message-ID: <87a61se4v4.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=185.67.36.65; envelope-from=yantar92@HIDDEN; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: bug-gnu-emacs@HIDDEN, stefan@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) Daniel Mendler <mail@HIDDEN> writes: > My git commits are usually signed, so one could check the signature of > each commit which leads to a package build. This feature could be opt-in > for now, enabled via an attribute :signature in the elpa-packages > configuration. Maybe elpa-packages could store the fingerprint(s) of the > expected GPG key(s)? I think that requiring every single commit to be signed is an overkill. Maybe just the release tags? I guess, :signature, if optional, may allow multiple levels of verification: 1. nil :: no verification 2. (tags key1 key2 ...) :: verify release tags to match any of the listed GPG keys 3. (commits key1 key2 ...) :: verify every commit I am not sure what would be the most reliable way to specify the keys. Also, people with write access to ELPA repo may be required to sign their commits -- in the case of security breach if the SSH key gets stolen, signing may be a barrier to protect altering the elpa-packages configuration from injecting malicious GPG keys. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>
bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.Received: (at submit) by debbugs.gnu.org; 4 Feb 2023 18:19:35 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Feb 04 13:19:35 2023 Received: from localhost ([127.0.0.1]:43437 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1pON8Q-00026T-Up for submit <at> debbugs.gnu.org; Sat, 04 Feb 2023 13:19:35 -0500 Received: from lists.gnu.org ([209.51.188.17]:34562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <mail@HIDDEN>) id 1pON8O-00026K-0M for submit <at> debbugs.gnu.org; Sat, 04 Feb 2023 13:19:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <mail@HIDDEN>) id 1pON8I-0006Vr-Kj for bug-gnu-emacs@HIDDEN; Sat, 04 Feb 2023 13:19:31 -0500 Received: from server.qxqx.de ([2a01:4f8:121:346::180] helo=mail.qxqx.de) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <mail@HIDDEN>) id 1pON8D-0002yl-3p for bug-gnu-emacs@HIDDEN; Sat, 04 Feb 2023 13:19:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=qxqx.de; s=mail1392553390; h=Content-Type:MIME-Version:Message-ID:Date:Subject:Cc:To: From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description :Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NN9xymQrG2RctoZzJjymv6dTBd2NgsuXh3Oaqa0dtzk=; b=NtJud6QwM/5K/7xCFiXpJ+l6I+ VMc1AZAidVHnpeSg+0ZPRdzWNh7rW8Lccj1PfwK032FClGEumHQtCfPQHlIs6EJIvRSBjuVV0wzwF tk0v/49NU2J92bEIXcK3uq1h3t4RgB6s7R6uoJlSW6sEm9sHxIhh2ie9Rny/8fIisn48=; From: Daniel Mendler <mail@HIDDEN> To: bug-gnu-emacs@HIDDEN Subject: FR: ELPA security - Restrict package builds to signed git commits Date: Sat, 04 Feb 2023 19:19:06 +0100 Message-ID: <87pmapqoo5.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2a01:4f8:121:346::180; envelope-from=mail@HIDDEN; helo=mail.qxqx.de X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FORGED_SPF_HELO=1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: yantar92@HIDDEN, stefan@HIDDEN, monnier@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.4 (--) As discussed on emacs-devel it would be good if ELPA security could be improved, preventing potential breaches on the side of the source repository. This feature becomes more relevant the more packages are :auto-sync'ed from their source repository. My git commits are usually signed, so one could check the signature of each commit which leads to a package build. This feature could be opt-in for now, enabled via an attribute :signature in the elpa-packages configuration. Maybe elpa-packages could store the fingerprint(s) of the expected GPG key(s)? In the case of a breach, both the SSH and GPG keys may be stolen, which would allow an attacker to create commits on hosted repositories, such that the mechanism would not help. However the source repository may also get compromised via other vectors. https://lists.gnu.org/archive/html/emacs-devel/2023-02/msg00120.html
Daniel Mendler <mail@HIDDEN>:bug-gnu-emacs@HIDDEN.
Full text available.bug-gnu-emacs@HIDDEN:bug#61277; Package emacs.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.