Warn before assimilating an unsafe package
Closed this issue · 1 comments
All packages are somewhat unsafe because no review happens. There's nothing we can do about that, we cannot review all packages.
But some packages are more unsafe than others. Packages from the Emacswiki are completely unsafe because it does not even require that the maintainer of a package decides to launch an attack or gets hacked - anyone can edit any package on the Emacswiki.
Even though it is now possible and encouraged to clone a package before assimilating it to have a change to review it before executing any of its code, some extra protection should be added. So start warning when the user attempts to assimilate a package and optionally also do so before cloning.
The same should optionally be done for packages that are fetched over an unsecure connection.