2013-01-23 Security of Code Downloaded from Online Sources
In the anonymous rant The Wikemacs Experiment: 300 Days Later, the author claims āThe biggest problem is that it is *insecure*. [...] Anyone can edit any of the pages that contain Elisp code.ā The same sentiment was expressed by Alex BennĆ©e in a comment on Google+: āWhat is really needed is a way to be sure that the source for the emacs extension your updating hasnāt been subverted by someone else with ill intent.ā
The Wikemacs Experiment: 300 Days Later
I said:
Experiences and ideas of āwhat is really necessaryā vary. As for myself, Iāve installed code from all over the Internet without reviewing the source. Installing it from a gist or git repo is hardly a different experience. If you want to figure out whether a source is trustworthy, you do the usual things: do people link to the code, how long has it been around, what about recent checkins, that sort of thing. Or you get into the crypto business of signing releases.
You could of course say that every day that passes without a problem increases our false sense of security... I have no answer to that. All I can say is that if security is your problem, using gists and github is not the solution (as you say yourself). The source of the insecurity is our habits, our culture of downloading and installing anything and everything. Iām not sure how youāll ever make sure āthat the source for the emacs extension your updating hasnāt been subverted by someone else with ill intent.ā That seems pretty impossible to me unless you limit yourself to the core Emacs distribution (and even thatās not a guarantee).
People on the #emacs channel keep asking āis there way to do Xā and thus my impression is that *finding* stuff is a more pressing problem. I feel that encouraging people to create a page on the wiki saying āhere is code to help you do somethingā is the solution to that problem.
But then again, I guess we all differ in what we consider to be the most pressing problem.
Alex BennĆ©e the correctly points out that using āa user locked solution like a gist or git repo you can at least be assured what youāre installing has come through one person who youāve trusted to a degree before.ā I guess thatās true. Weāll see whether people start switching over to using gists instead of editing wiki pages. I said in an earlier comment:
I added gist support [...] because it was easy to do, not because it will encourage existing authors to move their elisp code on wiki pages to github. If at all, it might encourage future elisp authors to transclude a gist... But then again, thereās nothing preventing them from linking to a gist right now. Perhaps itās also a generational thing. People that have been living without github and gists donāt feel a particular need to start using it.ļ»æ
Interesting times. š
ā#Web ā#Security ā#Emacs ā#Wikis
Comments
(Please contact me if you want to remove your comment.)
ā
Hi Alex,
first of all - thank you very much for Oddmuse! Iām using it for both my personal site and Department's site. It has some rough edges, but overall I find it a very nice tool, and I did recommend it to a few people.
Now to the point: I was just wondering whether it might be a good idea to use stackoverflow with [emacs] tag (which you mentioned in your earlier post), or maybe even start something like emacs.stackexchange.com? Iām not sure whether it could solve any problems you mentioned, but (at least for the more paranoia-oriented people) it might feel a bit more secure, with all the comments, up- and downvotes etc. I donāt know. (Personally, I didnāt use any actual *code* from Emacswiki, but I guess it would not be a huge problem for me.)
ā mbork 2013-01-23 20:55 UTC
---
Nothing has really changed. Previously, Lisp code was shared between a few Emacs hackers and the intention was to work on improving it and get it integrated into Emacs. The GNU Project was the trusted authority. They distributed the useful contributions. Obviously, that hasnāt scaled well. I think itās perfectly reasonable for Emacs newbies to distrust code they canāt read that was written by hackers they donāt know.
ā AaronHawley 2013-01-23 21:56 UTC
---
Thank you for the kind words, Marcin. I think a lot of people are already using Stackoverflow for Emacs questions. I find the site incredibly useful when Iām at work (except my work is hardly ever related to Emacs, unfortunately).
using Stackoverflow for Emacs questions
I also agree with Aaron. Good point regarding the GNU Project being the trusted authority.
ā Alex Schroeder 2013-01-23 22:39 UTC
---
Iāve collected examples of manipulated code or binaries: http://www.koch.ro/blog/index.php?/archives/153-On-distributing-binaries.html
http://www.koch.ro/blog/index.php?/archives/153-On-distributing-binaries.html
I donāt think that itās too hard to get a gpg key, go to a signing party on your next software conference and sign all your releases. Itās rather dumb easy. And you can use signed git tags on github or any other git hosting platform to provide a very strong confidence for your user that they can trace you back in case you provided bad code.
ā Thomas Koch 2013-01-24 12:57 UTC
---
True, it is not ātoo hardā for many people. But when I write a little throw-away piece of code like EmacsWiki:1000 Words itās a bit much to ask. Iāve never been to a key signing party. I never go to software conferences. I post it on the wiki. And when I write another little piece of code, I do it again. Thatās why *my* code ends up on the wiki and not on github. I keep hoping people will volunteer to maintain code I wrote and either add it to Emacs itself or maintain it in decent repositories. I just donāt see myself doing it. I *like* the division of labor between programming and packaging.
ā Alex Schroeder 2013-01-25 10:24 UTC
---
It might be a bit too much to sign a little script of 10 lines that I can quickly review. I was rather referring to big software projects. However once youāve got a gpg key you can sign a small code snippet just as easily as you can sign an email.
ā Thomas Koch 2013-01-26 10:11 UTC
---
I think now the discussion turns to the question of where to draw the line. Thereās exactly one large project that is exclusively hosted on Emacs Wiki, I think: EmacsWiki:Icicles. Others, such as EmacsWiki:Anything moved to github. Other, like EmacsWiki:Gnus or EmacsWiki:BBDB were never hosted on Emacs Wiki to begin with. Then there are the large collection of inofficial extensions like the ones listed on EmacsWiki:rcirc. Do they count as a single project or is each file a separate one? From my point of view, each one is a separate project. I just use two of them myself. As such, they are not really āa little script of 10 linesā but they donāt feel like big software projects, either.
I think Iām with Aaron. Emacs Wiki mostly hosts code on the wiki that one could view as āincubatorā stuff. Things that havenāt made it into their own repositories or that havenāt made it into Emacs itself. Thus, asking for version control and signed releases isāin the context of code hosted on Emacs Wikiāasking for the right thing at the wrong time. Itās premature for those small single file projects that are hanging in Limbo somewhere between ten lines and inclusion into Emacs or indendence as their separate projects.
ā Alex Schroeder 2013-01-26 11:46 UTC
---
Using El-Get you can easily add a checksum in your setup so that you only automatically get code from EmacsWiki with that checksum. So if you get to a new machine or re-install your Emacs setup from scratch, and the newly downloaded EmacsWiki code does not match your checksum, El-Get will refuse to load it for you. You can get the checksum interactively using M-x el-get-checksum command.
ā dim 2013-01-27 21:13 UTC
---
Excellent feature!
ā Alex Schroeder 2013-01-28 07:23 UTC