First example we at MELPA have seen of an #emacs package getting hacked (upstream of us, in GitHub): https://github.com/kubernetes-el/kubernetes-el/issues/383
-
First example we at MELPA have seen of an #emacs package getting hacked (upstream of us, in GitHub): https://github.com/kubernetes-el/kubernetes-el/issues/383
If installed, loading this compromised #emacs library would trigger the embedded shell command. Not very subtle, but this should be a reminder to the dev community that plugins for even niche dev tools can be an attack vector.
-
First example we at MELPA have seen of an #emacs package getting hacked (upstream of us, in GitHub): https://github.com/kubernetes-el/kubernetes-el/issues/383
@sanityinc good thread on
this when it was just theoretical https://www.reddit.com/r/emacs/comments/1i1u0rj/how_does_the_emacs_community_protects_itself/?rdt=45984 -
@sanityinc good thread on
this when it was just theoretical https://www.reddit.com/r/emacs/comments/1i1u0rj/how_does_the_emacs_community_protects_itself/?rdt=45984@tzz Yeah, many such discussions in the past. IIRC Emacs 31 will have built-in support for diffing package updates before full installation. In this case, the modified file would not have got past the MELPA build step, so we won't have distributed it, but there's no particular barrier to crafting a malicious package that *would* get built.
-
@tzz Yeah, many such discussions in the past. IIRC Emacs 31 will have built-in support for diffing package updates before full installation. In this case, the modified file would not have got past the MELPA build step, so we won't have distributed it, but there's no particular barrier to crafting a malicious package that *would* get built.
@tzz "Maintainer gets compromised" is a very difficult thing to mitigate centrally.
-
If installed, loading this compromised #emacs library would trigger the embedded shell command. Not very subtle, but this should be a reminder to the dev community that plugins for even niche dev tools can be an attack vector.
@sanityinc Strange that the PR was merged without maintainer approval.
-
@sanityinc Strange that the PR was merged without maintainer approval.
@paniash I commented on the issue — I think the attacker stole a github token via a privileged Actions run that was made without needing the maintainer's approval.
-
@tzz "Maintainer gets compromised" is a very difficult thing to mitigate centrally.
@sanityinc @tzz And Emacs is by necessity a tool that have wide-ranging access to the system where it's run.
I have been worried about this very thing for a while, in fact every time I install a MELPA package.
-
@sanityinc @tzz And Emacs is by necessity a tool that have wide-ranging access to the system where it's run.
I have been worried about this very thing for a while, in fact every time I install a MELPA package.
@loke @sanityinc @tzz Same. And what if I'm root? Do I even install packages? I guess I shouldn't.
-
@loke @sanityinc @tzz Same. And what if I'm root? Do I even install packages? I guess I shouldn't.
@alex @loke @sanityinc @tzz time for Emacs solo?
-
If installed, loading this compromised #emacs library would trigger the embedded shell command. Not very subtle, but this should be a reminder to the dev community that plugins for even niche dev tools can be an attack vector.
@sanityinc It's events like this that make me want to just write all my own Emacs packages
-
@loke @sanityinc @tzz Same. And what if I'm root? Do I even install packages? I guess I shouldn't.
@alex I mostly use jed as root, that's usually good enough for the minor editing needs I have as root. Everything that requires more comfort and capabilities will be done with my normal account and then run as root.
@loke @sanityinc @tzz -
@alex I mostly use jed as root, that's usually good enough for the minor editing needs I have as root. Everything that requires more comfort and capabilities will be done with my normal account and then run as root.
@loke @sanityinc @tzz@schaueho @alex @sanityinc @tzz I'm not worried about anyone getting access to root. All the sensitive data and actions are available to my regular user, ao that's what I want to protect.
The only approach that works reasonably well today is that of Qubes OS, but it still suffers from the limitation of not exposing any GPU functionality, which is a blocker for many usecases.
-
@schaueho @alex @sanityinc @tzz I'm not worried about anyone getting access to root. All the sensitive data and actions are available to my regular user, ao that's what I want to protect.
The only approach that works reasonably well today is that of Qubes OS, but it still suffers from the limitation of not exposing any GPU functionality, which is a blocker for many usecases.
-
@sanityinc It's events like this that make me want to just write all my own Emacs packages
@j3rn it's not impossible: https://www.rahuljuliato.com/posts/emacs-solo-two-years
-
@sanityinc Then the risk of this is not increased (at least not too much) when considering root.
However, given that there are still files that only root can access and things that only root can change on a system, I actually think that usually the risk would be higher for root. But it's not a big point, agreed.
@loke @alex @tzz -
R relay@relay.an.exchange shared this topic
