Jean Louis <bugs@gnu.support> writes:
> * Tim Cross <theophil...@gmail.com> [2020-11-24 23:40]: >> If people are really concerned about security, they should look first at >> their use of repositories like MELPA. There is no formal review or >> analysis of packages in these repositories, yet people will happily >> select some package and install it. > > Interesting that you are one who mentions that. There are just few > people ever mentioned it. > > I am still in process of the review of MELPA packages and its > system. There are many security issues. > > Package signing is one example. It does not offer much of security > when packages are signed automatically, but it raises level of > security. > > MELPA packages and archive-contents are not PGP signed, while GNU ELPA > packages are signed. > IMO signing of packages is irrelevant when there is no formal review process or even any formal process to verify the credentials of signatures. In fact, just adding signing would likely be coutner-productive as it would give the impression of some sort of security where there is none. Basically, anyone can upload anything to MELPA. The only way anyone would find out that an uploaded package has malicious code is if someone does a code review and spots the malicious payload. Even once they find that, there is little chance of being able to attribute the actions to any individual because no real identity vetting is conducted. MELPA is the wild west. The new non-GNU repository has bene setup precisely due to both the licensing issue and the fact many MELPA packages recommend/encourage the use of non-free software/services. While non-GNU will improve this situation, I don't believe there are any plans to actively review the code in the packages. So, like MELPA, all you really have to go on is package reputation. You cannot have any high level of confidence a package does not contain malicious code other than an expectation that if it is used by a sufficiently large enough number of users, it is unlikely. this is not an issue unique to Emacs. You only have to look at the issues both Google's play store and Apples app store have had in the past to see what the risks are. Both Google and Apple have put large amounts of resources into trying to ensure their repository content is safe and yet they still have failures. Something like GNU Emacs has nowhere near the same resources, so is unlikely to come even close to the same level of security.
