Stephen,
On 8/13/02 6:06 PM, "Stephen J. Turnbull" <stephen(a)xemacs.org> wrote:
>>>>> "Ovidiu" == Ovidiu Predescu
<ovidiu(a)xemacs.org> writes:
Ovidiu> I think Xemacs needs to have cryptographically signed
Ovidiu> packages by default on its main site. Right now we don't
Ovidiu> do any check to verify the authenticity of the packages,
We have MD5 checksums available; MD5 failures are the most common
single package bug. This could easily (I think) be upgraded to
individual GPG signatures, and Steve did sign the checksum list.
I don't think the upgrade process is that easy. I'm not an expert, but
managing the public keys and all that, do require some management effort,
which translates into a non-zero amount of design and code.
Ovidiu> and a malicious hacker might easily change the
packages.
Hell, Ovidiu, we don't know whether _you_ are a white hat or a black
hat. Or me, for that matter. (Dennis Ritchie is a confessed white
hat.) There are easier ways to suborn the packages than breaking
security on Tux or the maintainers' personal machines.
I'm not worried about package authors, I worry about the bad guys modifying
legitimate package to run malicious code.
IMHO if someone worries enough about security that they worry about
XEmacs Lisp packages, they should not have an Emacs of any flavor
installed at all. We take some care with shells and things like that
to prevent echoing of passwords, but I regularly get cleartext when I
upgrade ssh or fiddle with my password prompt regexp. Other than that
simple service to users, Emacs is a security hole waiting to happen.
This is not good news. I think sooner or later, the bad guys will starting
hunting security bugs in Emacs, which is a fairly popular platform on
Unix/Linux. At the very least we should make sure we don¹t get fooled into
installing malicious packages, and have open sockets accepting connections
from the Internet.
Hell, we've at least suggested massive security violations
ourselves
(Steve Y once suggested automatically including init.el and custom.el
in the automatic bug report, for example). We do include the last 300
keystrokes automatically. Etc, etc.
That said, I don't disagree with signing the packages. But we should
make absolutely clear that this is a consistency check, not a serious
security measure.
Yes, I agree with you.
Best regards,
--
Ovidiu Predescu <ovidiu(a)xemacs.org>
http://www.webweavertech.com/ovidiu/weblog/index.html (Weblog)
http://www.geocities.com/SiliconValley/Monitor/7464/ (Apache, GNU, Emacs...)