Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Isn't MELPA just serving the latest git master of whatever it happens to be at the time package-refresh-contents was called? With MELPA stable likewise just serving the latest tag? That doesn't spell trust.


Using Emacs is not going to help you to avoid supply chain attacks per se. What it might do, however, is give you unparalleled power to inspect your environment - calls and source. If you run untrusted code you are exposed, and thats that. Development tools should assume that you, a programmer, know what you are programming.

Emacs and lisp is focused on providing power, not security. These often do not go hand in hand.


> What it might do, however, is give you unparalleled power to inspect your environment [...]

The "read the source" argument. It doesn't scale. I don't have 17 lifetimes to study a single release of every bit of software I run.

I really do appreciate Emacs for the introspection capabilities, but it's not a solution to the trust chain issue.


It scales to "don't run untrusted code if you are concerned about security"


> don't run untrusted code

The entire point of this thread is how a chain of trust should be maintained. "Don't run untrusted code" is skipping from the question straight to a hypothetical world where an answer has already been established.

"How to live long" - "don't die".


MELPA is not ELPA.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: