Discussion:
GNU ELPA security and Org-mode
Stefan Monnier
2017-04-06 15:04:29 UTC
Permalink
I just realized that the GPG-signing we're doing in GNU ELPA is
weaker for the org-mode packages than for all other:

All GNU ELPA packages, except for org-mode, are generated by
elpa.gnu.org from an elpa.git checkout (via https, not sure if Git
checks the key), whereas the org-mode package is downloaded from
http://orgmode.org/elpa.

So the org-mode package has weaker points:
- uses http rather than https.
- downloaded from a machine that's further (well, not absolutely sure,
but I assume that elpa.gnu.org and git.sv.gnu.org are near each other).

Maybe we should consider some way to take the org packages from
http://orgmode.org/elpa, and push them to elpa.git. This way even if
this transfer from orgmode.org to elpa.git suffers from the same risks,
the resulting patch would be sent to elpa-diffs, so it would be exposed
for review (how much review it would really get is clearly debatable,
tho).


Stefan
Bastien
2018-04-28 11:19:15 UTC
Permalink
Hi Stefan,
Post by Stefan Monnier
- uses http rather than https.
Just to mention that org is now available through https too:

~$ git clone https://code.orgmode.org/bzg/org-mode.git

Not sure if something remains to be done in this thread, but
if I can help let me know.

Best,
--
Bastien
Stefan Monnier
2018-04-30 02:15:04 UTC
Permalink
Post by Bastien
Post by Stefan Monnier
- uses http rather than https.
~$ git clone https://code.orgmode.org/bzg/org-mode.git
We don't use the Git (currently), but yes, thanks for making an https
version available.
Post by Bastien
Not sure if something remains to be done in this thread, but
if I can help let me know.
Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
kept in a Git branch instead, that would be great.


Stefan
Bastien
2018-04-30 07:13:24 UTC
Permalink
Hi Stefan,
Post by Stefan Monnier
Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
kept in a Git branch instead, that would be great.
Not sure what you mean exactly by keeping the list of tarballs in a
Git branch. In which Git repository?
--
Bastien
Stefan Monnier
2018-04-30 12:29:13 UTC
Permalink
Post by Bastien
Post by Stefan Monnier
Well, if the "list of tarballs" (at https://orgmode.org/elpa) could be
kept in a Git branch instead, that would be great.
Not sure what you mean exactly by keeping the list of tarballs in a
Git branch.
Just that instead of having a bunch of tarballs in a directory (where
each tarball corresponds to a particular tree of files), I'd much rather
have a Git branch (where each revision holds a corresponding tree of
files).
Post by Bastien
In which Git repository?
Doesn't matter which (tho, ideally, it should be elpa.git, and the
branch should be named "externals/org").


Stefan
Bastien
2018-04-30 13:34:32 UTC
Permalink
Hi Stefan,
Post by Stefan Monnier
Doesn't matter which (tho, ideally, it should be elpa.git, and the
branch should be named "externals/org").
To summarise:

- I create a branch on elpa.git called "externals/org".

- I create the "elpa/packages/org" directory in this branch.

- I copy the content of an Org ELPA archive (eg org-20180430.tar)
into this directory, with org-{version|pkg|loaddefs}.el files.

- I commit and publish this "externals/org" branch on the public
elpa.git repository.

Is that so?
--
Bastien
Stefan Monnier
2018-04-30 13:42:47 UTC
Permalink
Post by Bastien
- I create a branch on elpa.git called "externals/org".
Right.
Post by Bastien
- I create the "elpa/packages/org" directory in this branch.
No. It should contain the same files with the same names as the
tarball would.
Post by Bastien
- I copy the content of an Org ELPA archive (eg org-20180430.tar)
into this directory, with org-{version|pkg|loaddefs}.el files.
Yes, except for org-pkg.el (the corresponding info should be in org.el
instead).
Post by Bastien
- I commit and publish this "externals/org" branch on the public
elpa.git repository.
Is that so?
Yup,


Stefan
Stefan Monnier
2018-04-30 13:52:29 UTC
Permalink
Post by Stefan Monnier
Post by Bastien
- I create a branch on elpa.git called "externals/org".
Right.
To clarify, this is not a branch of the `master` branch of elpa.git.
It's rather a brand new empty branch (or maybe a branch taken from
org.git/master).


Stefan
Bastien
2018-04-30 13:55:37 UTC
Permalink
Thanks for the feedback.
Post by Stefan Monnier
Post by Bastien
- I create the "elpa/packages/org" directory in this branch.
No. It should contain the same files with the same names as the
tarball would.
Not sure here.

Do you mean elpa.git should contain

elpa/packages/org-20180430/org.el
elpa/packages/org-20180430/org-table.el

etc.?
Post by Stefan Monnier
Post by Bastien
- I copy the content of an Org ELPA archive (eg org-20180430.tar)
into this directory, with org-{version|pkg|loaddefs}.el files.
Yes, except for org-pkg.el (the corresponding info should be in org.el
instead).
Because org-pkg.el is generated by elpa/GNUmakefile, right?

If so, why adding org-loaddefs.el since org-autoloads.el would also be
autogenerated?

And would org-version.el still be required?

Or the package version would just be extracted from the org.el
"Version: 9.1.12" keyword?

If possible, I'd like to not add org-loaddefs.el and org-version.el
and have org-autoloads.el and the package version autogenerated like
for any other package.
--
Bastien
Stefan Monnier
2018-04-30 14:00:44 UTC
Permalink
Post by Bastien
Post by Stefan Monnier
Post by Bastien
- I create the "elpa/packages/org" directory in this branch.
No. It should contain the same files with the same names as the
tarball would.
Not sure here.
Do you mean elpa.git should contain
elpa/packages/org-20180430/org.el
elpa/packages/org-20180430/org-table.el
No:

% cd .../elpa; git checkout externals/org; ls

should show something like

org.el
org-agenda.el
...


-- Stefan
Bastien
2018-04-30 14:07:44 UTC
Permalink
Post by Stefan Monnier
Post by Bastien
Post by Stefan Monnier
Post by Bastien
- I create the "elpa/packages/org" directory in this branch.
No. It should contain the same files with the same names as the
tarball would.
Not sure here.
Do you mean elpa.git should contain
elpa/packages/org-20180430/org.el
elpa/packages/org-20180430/org-table.el
% cd .../elpa; git checkout externals/org; ls
should show something like
org.el
org-agenda.el
...
Okay, thanks, will do this.

BTW, https://elpa.gnu.org seems down ATM.
--
Bastien
Stefan Monnier
2018-04-30 16:37:52 UTC
Permalink
Post by Bastien
BTW, https://elpa.gnu.org seems down ATM.
You got unlucky: I was just performing a minor "aptitude upgrade" on it.


Stefan
Bastien
2018-05-01 08:07:43 UTC
Permalink
Post by Stefan Monnier
Post by Bastien
BTW, https://elpa.gnu.org seems down ATM.
You got unlucky: I was just performing a minor "aptitude upgrade" on it.
No problem, it's working fine now, thanks.
--
Bastien
Bastien
2018-04-30 14:10:40 UTC
Permalink
Post by Bastien
If so, why adding org-loaddefs.el since org-autoloads.el would also be
autogenerated?
And would org-version.el still be required?
Just for this: shall I add org-version.el and org-loaddefs.el?
--
Bastien
Stefan Monnier
2018-04-30 14:18:19 UTC
Permalink
Post by Bastien
If so, why adding org-loaddefs.el since org-autoloads.el would also be
autogenerated?
And would org-version.el still be required?
I don't really know precisely what those files are about, but to the
extent that they're specific to Org, I don't see any reason to treat
them differently from any other org*.el file here.

AFAIK org-loaddefs.el is supposed to only be loaded when org-mode is
activated, whereas org-autoloads.el is loaded at Emacs start up (so it
should mostly contain an autoload for `org-mode` itself).

The elpa.gnu.org scripts will not look for the package's version in
org-version.el but in org.el's "Version:" header, but presumably
org-version.el is used by Org, so it's probably still useful (tho Org
could be changed to look for the corresponding info in org.el's
"Version:" header as well).


Stefan
Bastien
2018-04-30 15:18:02 UTC
Permalink
Post by Stefan Monnier
Post by Bastien
If so, why adding org-loaddefs.el since org-autoloads.el would also be
autogenerated?
And would org-version.el still be required?
I don't really know precisely what those files are about, but to the
extent that they're specific to Org, I don't see any reason to treat
them differently from any other org*.el file here.
Okay.
Post by Stefan Monnier
AFAIK org-loaddefs.el is supposed to only be loaded when org-mode is
activated, whereas org-autoloads.el is loaded at Emacs start up (so it
should mostly contain an autoload for `org-mode` itself).
Got it, thanks.
Post by Stefan Monnier
The elpa.gnu.org scripts will not look for the package's version in
org-version.el but in org.el's "Version:" header, but presumably
org-version.el is used by Org, so it's probably still useful (tho Org
could be changed to look for the corresponding info in org.el's
"Version:" header as well).
Yes, that's another topic.

Do you have an example of a package where M-x [package]-version RET
looks for the version in the Version: header?
--
Bastien
Stefan Monnier
2018-04-30 15:37:12 UTC
Permalink
Post by Bastien
Do you have an example of a package where M-x [package]-version RET
looks for the version in the Version: header?
I did that in bbdb, yes (in elpa.git).


Stefan
Bastien
2018-05-01 08:07:52 UTC
Permalink
Post by Stefan Monnier
Post by Bastien
Do you have an example of a package where M-x [package]-version RET
looks for the version in the Version: header?
I did that in bbdb, yes (in elpa.git).
Thanks,
--
Bastien
Loading...