* Tim Cross <theophil...@gmail.com> [2020-11-24 23:40]: > If people are really concerned about security, they should look first at > their use of repositories like MELPA. There is no formal review or > analysis of packages in these repositories, yet people will happily > select some package and install it.
Interesting that you are one who mentions that. There are just few people ever mentioned it. I am still in process of the review of MELPA packages and its system. There are many security issues. Package signing is one example. It does not offer much of security when packages are signed automatically, but it raises level of security. MELPA packages and archive-contents are not PGP signed, while GNU ELPA packages are signed. Licensing issues are also a problem with MELPA as it becomes unclear if I have got the license or not when author does not have a proper name. It is not relevant if majority of people do not think or are not aware of licensing as I have to think of it for software that I may re-use, distribute, modify. Did I really get the license if user is named "nick-abc" and have no possible contact information? In some cases for subset of MELPA packages there is no way to verify who really wrote piece of software and if I have received the license legally. Due diligence is on my side. I cannot just claim "But he gave me license" will not help if I have not done proper due diligence, court would not be on my side. Other issue is that MELPA philosophy is to accept any kind of software even if software has been made to drive or control proprietary software. For that reason there is now non-GNU ELPA being developed where useful packages will be distributed from.