emacs, branch scratch/package-security Emacs is the extensible, customizable, self-documenting real-time display editor. Support expiration of metadata by package archives 2020-11-21T23:38:35+00:00 Stefan Kangas 2020-09-07T05:31:56+00:00 bcde5f86c5a7f3a84115807520631a4f12fb6f70 Expiring package metadata is done by checking the timestamp in package archive file. This is intended to limit the effectiveness of a replay attack. The onus is on the package archives to implement a secure and reasonable policy. (Debian uses 7 days before metadata expires.) Together with package checksums, this adds sufficient protection against metadata replay attacks. (Bug#19479) * lisp/emacs-lisp/package.el (package-check-timestamp): New defcustom. (bad-timestamp): New error. (package--parse-header-from-buffer) (package--parse-valid-until-from-buffer) (package--parse-last-updated-from-buffer) (package--archive-verify-timestamp) (package--archive-verify-not-expired) (package--compare-archive-timestamps) (package--check-archive-timestamp): New defuns. (package--download-one-archive): Check timestamp of the 'archive-contents' file using above functions. It is only checked if it exists, which makes this change backwards compatible. * lisp/calendar/iso8601.el (iso8601-parse): Add autoload cookie. * test/lisp/emacs-lisp/package-tests.el (package-test-parse-valid-until-from-buffer) (package-test-parse-last-updated-from-buffer) (package-test-archive-verify-timestamp) (package-test-check-archive-timestamp) (package-test-check-archive-timestamp/not-expired) (package-test-check-archive-timestamp/expired): New tests. * test/lisp/emacs-lisp/package-resources/archives/older/archive-contents: * test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents: New files. * doc/lispref/package.texi (Package Archives, Archive Web Server): Document how to increase the security of a package archive using checksums, signing and timestamps. 
Expiring package metadata is done by checking the timestamp in package
archive file.  This is intended to limit the effectiveness of a replay
attack.  The onus is on the package archives to implement a secure and
reasonable policy.  (Debian uses 7 days before metadata expires.)

Together with package checksums, this adds sufficient protection
against metadata replay attacks.  (Bug#19479)

* lisp/emacs-lisp/package.el (package-check-timestamp): New defcustom.
(bad-timestamp): New error.
(package--parse-header-from-buffer)
(package--parse-valid-until-from-buffer)
(package--parse-last-updated-from-buffer)
(package--archive-verify-timestamp)
(package--archive-verify-not-expired)
(package--compare-archive-timestamps)
(package--check-archive-timestamp): New defuns.
(package--download-one-archive): Check timestamp of the
'archive-contents' file using above functions.  It is only checked if
it exists, which makes this change backwards compatible.

* lisp/calendar/iso8601.el (iso8601-parse): Add autoload cookie.

* test/lisp/emacs-lisp/package-tests.el
(package-test-parse-valid-until-from-buffer)
(package-test-parse-last-updated-from-buffer)
(package-test-archive-verify-timestamp)
(package-test-check-archive-timestamp)
(package-test-check-archive-timestamp/not-expired)
(package-test-check-archive-timestamp/expired): New tests.

* test/lisp/emacs-lisp/package-resources/archives/older/archive-contents:
* test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents:
New files.

* doc/lispref/package.texi (Package Archives, Archive Web Server):
Document how to increase the security of a package archive using
checksums, signing and timestamps.
Support package checksum verification 2020-11-21T23:38:35+00:00 Stefan Kangas 2019-10-04T08:36:14+00:00 733e674af4f66ba7e9f0614b931c44484acce2b9 Package checksum verification is the first step towards protecting users of package.el against replay attacks. Signing individual packages still allows a hostile actor to distribute an out-of-date package containing a known security defect. To avoid that, we need to distribute signed package metadata (the ELPA "archive-contents" file) and checksums for the individual packages together. (Bug#19479) A subsequent patch will add support for last-update and expiration timestamps in "archive-contents", without which the protection against replay attacks will be largely ineffective. Taken together, this feature will make signing individual packages obsolete. We will instead rely on signing the metadata, package checksums and timestamps. Note that individual package signatures should still be distributed for a long time still to support old versions of Emacs. For more on replay attacks, see: https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html * lisp/emacs-lisp/package.el (package-verify-checksums): New defcustom. (package-desc, package--ac-desc) (package--add-to-archive-contents, package-install-from-archive): New fields 'size' and 'checksums'. (package-desc-filename): New function. (package-error): New error type. (bad-signature): Inherit from error type 'package-error'. (bad-checksum, bad-size): New error types. (package-insecure-hash-algorithms): New constant. (package--verify-package-checksum) (package--verify-package-size): New function to verify that the checksum and size of a package corresponds to the checksum and size data in the "archive-contents" file on the package archive. (package--show-verify-checksum-error): New function to show details of an error on checksum verification. * lisp/emacs-lisp/package-x.el (package-upload-buffer-internal): Update to use above new fields 'size' and 'checksums'. * test/lisp/emacs-lisp/package-tests.el (package-test-refresh-contents) (package-test-install-single-from-archive) (package-test-list-filter-by-archive) (package-test-list-filter-by-status): Update tests. (with-install-using-checksum): New macro. (package-test-install-wrong-size-single) (package-test-install-wrong-size-tar): New tests for size checking. (package-test-install-with-checksum/single-valid) (package-test-install-with-checksum/single-invalid) (package-test-install-with-checksum/tar-valid) (package-test-install-with-checksum/tar-invalid): New tests for installing packages with checksums. (package-test-verification-text) (package-tests-valid-md5-checksum) (package-tests-valid-sha256-checksum) (package-tests-valid-sha512-checksum): New variables. (package-tests--run-verify-checksums-test): New macro. (package-test-verify-package-checksums-nil/ignore-invalid) (package-test-verify-package-checksums-allow-missing) (package-test-verify-package-checksums-allow-missing/missing) (package-test-verify-package-checksums-allow-missing/ignore-unsupported) (package-test-verify-package-checksums-t) (package-test-verify-package-checksums-t/invalid-fails) (package-test-verify-package-checksums-t/missing-fails) (package-test-verify-package-checksums-all) (package-test-verify-package-checksums-all/invalid-fails) (package-test-verify-package-checksums-all/missing-fails) (package-test-verify-package-checksums-all/no-supported-hash-fails) (package-test-verify-package-checksums-all/ignore-unsupported) (package-test-verify-package-size): New tests for the checksum support. * test/lisp/emacs-lisp/package-resources/archive-contents: * test/lisp/emacs-lisp/package-resources/checksum-invalid-1.0.el: * test/lisp/emacs-lisp/package-resources/checksum-valid-123.el: * test/lisp/emacs-lisp/package-resources/checksum-valid-tar-0.99.tar: * test/lisp/emacs-lisp/package-resources/checksum-valid-tar-0.99.tar: New test data files. * doc/emacs/package.texi (Package Installation): Document package checksum checking. * etc/NEWS: Announce it. 
Package checksum verification is the first step towards protecting
users of package.el against replay attacks.  Signing individual
packages still allows a hostile actor to distribute an out-of-date
package containing a known security defect.  To avoid that, we need to
distribute signed package metadata (the ELPA "archive-contents" file)
and checksums for the individual packages together.  (Bug#19479)

A subsequent patch will add support for last-update and expiration
timestamps in "archive-contents", without which the protection against
replay attacks will be largely ineffective.

Taken together, this feature will make signing individual packages
obsolete.  We will instead rely on signing the metadata, package
checksums and timestamps.  Note that individual package signatures
should still be distributed for a long time still to support old
versions of Emacs.

For more on replay attacks, see:
https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html

* lisp/emacs-lisp/package.el (package-verify-checksums): New
defcustom.
(package-desc, package--ac-desc)
(package--add-to-archive-contents, package-install-from-archive): New
fields 'size' and 'checksums'.
(package-desc-filename): New function.

(package-error): New error type.
(bad-signature): Inherit from error type 'package-error'.
(bad-checksum, bad-size): New error types.
(package-insecure-hash-algorithms): New constant.
(package--verify-package-checksum)
(package--verify-package-size): New function to verify that the
checksum and size of a package corresponds to the checksum and size
data in the "archive-contents" file on the package archive.
(package--show-verify-checksum-error): New function to show
details of an error on checksum verification.

* lisp/emacs-lisp/package-x.el (package-upload-buffer-internal):
Update to use above new fields 'size' and 'checksums'.

* test/lisp/emacs-lisp/package-tests.el (package-test-refresh-contents)
(package-test-install-single-from-archive)
(package-test-list-filter-by-archive)
(package-test-list-filter-by-status): Update tests.
(with-install-using-checksum): New macro.
(package-test-install-wrong-size-single)
(package-test-install-wrong-size-tar): New tests for size checking.
(package-test-install-with-checksum/single-valid)
(package-test-install-with-checksum/single-invalid)
(package-test-install-with-checksum/tar-valid)
(package-test-install-with-checksum/tar-invalid): New tests for
installing packages with checksums.
(package-test-verification-text)
(package-tests-valid-md5-checksum)
(package-tests-valid-sha256-checksum)
(package-tests-valid-sha512-checksum): New variables.
(package-tests--run-verify-checksums-test): New macro.
(package-test-verify-package-checksums-nil/ignore-invalid)
(package-test-verify-package-checksums-allow-missing)
(package-test-verify-package-checksums-allow-missing/missing)
(package-test-verify-package-checksums-allow-missing/ignore-unsupported)
(package-test-verify-package-checksums-t)
(package-test-verify-package-checksums-t/invalid-fails)
(package-test-verify-package-checksums-t/missing-fails)
(package-test-verify-package-checksums-all)
(package-test-verify-package-checksums-all/invalid-fails)
(package-test-verify-package-checksums-all/missing-fails)
(package-test-verify-package-checksums-all/no-supported-hash-fails)
(package-test-verify-package-checksums-all/ignore-unsupported)
(package-test-verify-package-size): New tests for the checksum
support.

* test/lisp/emacs-lisp/package-resources/archive-contents:
* test/lisp/emacs-lisp/package-resources/checksum-invalid-1.0.el:
* test/lisp/emacs-lisp/package-resources/checksum-valid-123.el:
* test/lisp/emacs-lisp/package-resources/checksum-valid-tar-0.99.tar:
* test/lisp/emacs-lisp/package-resources/checksum-valid-tar-0.99.tar:
New test data files.

* doc/emacs/package.texi (Package Installation): Document package
checksum checking.
* etc/NEWS: Announce it.
Handle help-form in y-or-n-p and use this in find-file-noselect (bug#5423) 2020-11-21T19:49:46+00:00 Juri Linkov 2020-11-21T19:49:46+00:00 0a8cd0116204354e95fbb4ebde64c58123502aa2 * doc/lispref/help.texi (Help Functions): Mention help-form for read-char-from-minibuffer and y-or-n-p. * doc/lispref/minibuf.texi (Yes-or-No Queries): Mention help-form for y-or-n-p. (Multiple Queries): Mention help-form for read-char-from-minibuffer. * lisp/files.el (find-file-noselect): Let-bind multi-line help text to help-form for y-or-n-p. * lisp/subr.el (read-char-choice): Mention help-form in docstring. (read-char-from-minibuffer): Mention help-form in docstring. (y-or-n-p-map): Remove handling of 'help'. (y-or-n-p): Mention help-form in docstring. When help-form is non-nil: add help-char to 'prompt', and bind help-char to help-form-show in composed-keymap. 
* doc/lispref/help.texi (Help Functions): Mention help-form for
read-char-from-minibuffer and y-or-n-p.

* doc/lispref/minibuf.texi (Yes-or-No Queries): Mention help-form
for y-or-n-p.
(Multiple Queries): Mention help-form for read-char-from-minibuffer.

* lisp/files.el (find-file-noselect): Let-bind multi-line help text
to help-form for y-or-n-p.

* lisp/subr.el (read-char-choice): Mention help-form in docstring.
(read-char-from-minibuffer): Mention help-form in docstring.
(y-or-n-p-map): Remove handling of 'help'.
(y-or-n-p): Mention help-form in docstring.
When help-form is non-nil: add help-char to 'prompt', and bind
help-char to help-form-show in composed-keymap.
Handle connection-local null-device and path-separator variables 2020-11-21T14:28:52+00:00 Michael Albinus 2020-11-21T14:28:52+00:00 789ee3e1d55a86b9ce38d1374c0e01d04f97eb7d * doc/lispref/os.texi (System Environment): Add `path-separator' function and `null-device' variable and function. * etc/NEWS: Mention 'null-device' and 'path-separator'. Fix typos. * lisp/files-x.el (path-separator, null-device): New defuns. (Bug#3736) * lisp/net/tramp-adb.el (tramp-adb-connection-local-default-shell-variables): Rename from `tramp-adb-connection-local-default-profile'. * lisp/net/tramp-integration.el (tramp-connection-local-default-system-variables): New defvar. Add it to connection-local profiles. (tramp-connection-local-default-shell-variables): Rename from `tramp-connection-local-default-profile'. * lisp/progmodes/grep.el (grep-hello-file): New defun. (grep-compute-defaults): Use `null-device' function for remote case. Handle remote `hello-file'. Use `process-file-shell-command'. (grep,grep-expand-keywords, lgrep): Use `null-device' function for remote case. 
* doc/lispref/os.texi (System Environment): Add `path-separator'
function and `null-device' variable and function.

* etc/NEWS: Mention 'null-device' and 'path-separator'.  Fix typos.

* lisp/files-x.el (path-separator, null-device): New defuns.  (Bug#3736)

* lisp/net/tramp-adb.el
(tramp-adb-connection-local-default-shell-variables): Rename from
`tramp-adb-connection-local-default-profile'.

* lisp/net/tramp-integration.el
(tramp-connection-local-default-system-variables): New defvar.
Add it to connection-local profiles.
(tramp-connection-local-default-shell-variables): Rename from
`tramp-connection-local-default-profile'.

* lisp/progmodes/grep.el (grep-hello-file): New defun.
(grep-compute-defaults): Use `null-device' function for remote
case. Handle remote `hello-file'.  Use `process-file-shell-command'.
(grep,grep-expand-keywords, lgrep): Use `null-device' function for
remote case.
Migrate usage of GPM_CLICK_EVENT to MOUSE_CLICK_EVENT. 2020-11-21T08:20:05+00:00 Jared Finder 2020-11-15T07:44:26+00:00 2c7687738d0b7da60014a7af05ab199936617d71 * src/termhooks.h (enum event_kind): * src/term.c (term_mouse_click, handle_one_term_event): * src/keyboard.c (discard_mouse_events, make_lispy_event): Migrate usage of GPM_CLICK_EVENT to MOUSE_CLICK_EVENT. 
* src/termhooks.h (enum event_kind):
* src/term.c (term_mouse_click, handle_one_term_event):
* src/keyboard.c (discard_mouse_events, make_lispy_event): Migrate
usage of GPM_CLICK_EVENT to MOUSE_CLICK_EVENT.
* lisp/emacs-lisp/package.el (package-strip-rcs-id): Don't ignore errors 2020-11-21T00:28:34+00:00 Stefan Monnier 2020-11-21T00:28:34+00:00 932cb10761b9f249c87d7c19778873691f2a5d46 Ignoring errors here just postpones the error and replaces a clear "invalid version syntax" with a confusing "package lacks a version". 
Ignoring errors here just postpones the error and replaces a clear
"invalid version syntax" with a confusing "package lacks a version".
Use cl-letf instead of unwind-protect in a test 2020-11-20T22:28:03+00:00 Mauro Aranda 2020-11-20T22:28:03+00:00 abd15e088e99b1c6334a427879fead0d557b7447 * test/lisp/cus-edit-tests.el (cus-edit-tests-customize-saved/show-obsolete): Good use case for cl-letf, so use it. Suggested by Stefan Monnier <monnier@iro.umontreal.ca> in: https://lists.gnu.org/archive/html/emacs-devel/2020-11/msg00914.html 
* test/lisp/cus-edit-tests.el (cus-edit-tests-customize-saved/show-obsolete):
Good use case for cl-letf, so use it.
Suggested by Stefan Monnier <monnier@iro.umontreal.ca> in:
https://lists.gnu.org/archive/html/emacs-devel/2020-11/msg00914.html
* test/manual/indent/tcl.tcl: Add string interpolation case 2020-11-20T21:54:06+00:00 Stefan Monnier 2020-11-20T21:54:06+00:00 ac98bcc906254da564d77dd33e902e4590ae1d33 






Don't optimize away `eval` when its lexical context is different
2020-11-20T21:45:56+00:00

Stefan Monnier

2020-11-20T21:45:56+00:00

2ba2e7217f520a43a098b2ef92a452868b88cc70

* lisp/emacs-lisp/bytecomp.el (byte-compile-file-form-eval):
Obey lexical-binding.





* lisp/emacs-lisp/bytecomp.el (byte-compile-file-form-eval):
Obey lexical-binding.







Take care of a FIXME in cus-edit-tests.el
2020-11-20T21:37:30+00:00

Mauro Aranda

2020-11-20T21:37:30+00:00

6924320aebce9ba885877da45e43d8d573da8bf6

* test/lisp/cus-edit-tests.el (cus-edit-tests-customize-saved/show-obsolete):
Add a fake saved-value property, to be able check that the obsolete
option is present in the Customize buffer.  Expect the test to pass
now.





* test/lisp/cus-edit-tests.el (cus-edit-tests-customize-saved/show-obsolete):
Add a fake saved-value property, to be able check that the obsolete
option is present in the Customize buffer.  Expect the test to pass
now.