Re: [patch] enhancements to package-ui.el

Wednesday, 7 October 1998

        greg(a)alphatech.com (Greg Klanderman) writes:

...
 All this package-get-base.el stuff is such a pain.  Now there's
the
 incremental updates to deal with...  blech.    I wish we could just
 reliably and automagically snarf the current one off ftp.xemacs.org.
 Suggestions anyone? 
When I originally wrote the code, one thing I was concerned about was
XEmacs being easily exploited for trojan horse attacks.  In
particular, a talented hacker could intercept ftp requests to
ftp.xemacs.org and substitude their own versions of packages -- hence
the md5 checksum for each package.  But then the problem becomes
grabing package-get-base.el -- if that gets intercepted then there is
a problem.  Bogus md5sum's can be substituted, host names
changed, package locations, etc.

I pictured two distribution methods for package-get-base.el.  It
either gets sent with the entire distribution (which are signed).  If
that is corrupted, well you have bigger problems anyway.  The second
was a periodic posting to a newsgroup/mailing list.  Presumably, such
an article would be PGP signed and could be verified as being from the
poster.

Automatic access to package-get-base.el is dangerous.

--pete

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

Re: [patch] enhancements to package-ui.el