New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't install insecurely without el-get-allow-insecure. #1856

Merged
merged 3 commits into from Aug 13, 2014

Conversation

Projects
None yet
4 participants
@technomancy
Copy link
Contributor

technomancy commented Aug 12, 2014

In most cases, we assume any connection is insecure unless the URL
starts with "https://", "$USERNAME@", or "ssh". There are a few
exceptions: I'm assuming all Emacswiki packages are insecure, and I
don't think we can know whether packages installed via Google Go are
secure or not.

Don't install insecurely without el-get-allow-insecure.
In most cases, we assume any connection is insecure unless the URL
starts with "https://", "$USERNAME@", or "ssh". There are a few
exceptions: I'm assuming all Emacswiki packages are insecure, and I
don't think we can know whether packages installed via Google Go are
secure or not.
@dimitri

This comment has been minimized.

Copy link
Owner

dimitri commented Aug 12, 2014

+1 for the basic idea. Please include changes to documentation (including the .info file, obtained via make el-get.info, no Makefile needed).

I would have made it t by default at first, for backward compat. What do you think?

@technomancy

This comment has been minimized.

Copy link
Contributor

technomancy commented Aug 12, 2014

Sure; I will add documentation. You're right about backwards-compatibility; I guess activating this by default will have to wait for the next major version bump.

(not (string-match "^https://" url))
(not (string-match "^[-_\.A-Za-z0-9]+@" url))
(not (string-match "^ssh" url)))
(error (concat "Attempting to clone insecure package "

This comment has been minimized.

@npostavs

npostavs Aug 12, 2014

Collaborator

s/clone/install

@npostavs

This comment has been minimized.

Copy link
Collaborator

npostavs commented Aug 12, 2014

Would it makes sense to consider an otherwise "insecure" installation as "secure" if we have set :checksum in the recipe?

@technomancy

This comment has been minimized.

Copy link
Contributor

technomancy commented Aug 13, 2014

@npostavs I think that's a good idea, but it complicates the implementation. I'd like to get this merged first, then that could be added.

technomancy added some commits Aug 13, 2014

Set el-get-allow-insecure to avoid breakage.
This should be changed to nil in a future major release bump.

dimitri added a commit that referenced this pull request Aug 13, 2014

Merge pull request #1856 from technomancy/allow-insecure
Don't install insecurely without el-get-allow-insecure.

@dimitri dimitri merged commit 19baef1 into dimitri:master Aug 13, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@dimitri

This comment has been minimized.

Copy link
Owner

dimitri commented Aug 13, 2014

Thanks!

Yes, +1 for @npostavs idea, let's consider checksumed contents that matches the checksum as secure. Let's have it brew a little on users, and as soon as reported used and working enough we could switch to 5.2 and set el-get-insecure to nil by default.

@technomancy technomancy deleted the technomancy:allow-insecure branch Aug 13, 2014

@technomancy

This comment has been minimized.

Copy link
Contributor

technomancy commented Jan 28, 2016

It has come to my attention that just checking for HTTPS URLs is woefully inadequate for downloads which happen in-process: https://glyph.twistedmatrix.com/2015/11/editor-malware

I've disabled all in-emacs downloads, only allowing HTTPS git in my own fork, but maybe it should at least be documented that this setting does not actually prevent insecure downloads from happening?

@npostavs

This comment has been minimized.

Copy link
Collaborator

npostavs commented Jan 28, 2016

See also #2287.

but maybe it should at least be documented that this setting does not actually prevent insecure downloads from happening?

Sounds like a good idea.

@manandbytes

This comment has been minimized.

Copy link
Contributor

manandbytes commented on el-get-methods.el in acdcb6e Sep 2, 2016

Could someone elaborate what sort of URLs are valid when starting with username@?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment