Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
Warn before assimilating an unsafe package #20
Comments
tarsius
referenced this issue
in emacscollective/epkg
Sep 15, 2017
Open
Optionally hide unsafe packages #7
tarsius
self-assigned this
Sep 19, 2017
tarsius
added
the
enhancement
label
Sep 19, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
tarsius commentedSep 15, 2017
•
edited
All packages are somewhat unsafe because no review happens. There's nothing we can do about that, we cannot review all packages.
But some packages are more unsafe than others. Packages from the Emacswiki are completely unsafe because it does not even require that the maintainer of a package decides to launch an attack or gets hacked - anyone can edit any package on the Emacswiki.
Even though it is now possible and encouraged to clone a package before assimilating it to have a change to review it before executing any of its code, some extra protection should be added. So start warning when the user attempts to assimilate a package and optionally also do so before cloning.
The same should optionally be done for packages that are fetched over an unsecure connection.