From: Eli Zaretskii <eliz@gnu.org>
To: john muhl <jm@pub.pink>
Cc: 75017@debbugs.gnu.org
Subject: bug#75017: 31.0.50; Untrusted user lisp files
Date: Sun, 22 Dec 2024 08:19:32 +0200 [thread overview]
Message-ID: <86frmg6xzf.fsf@gnu.org> (raw)
In-Reply-To: <87bjx43gp7.fsf@pub.pink> (message from john muhl on Sat, 21 Dec 2024 14:48:52 -0600)
> From: john muhl <jm@pub.pink>
> Date: Sat, 21 Dec 2024 14:48:52 -0600
>
> user-init-file is trusted by default but not other user files.
>
> C-xf ~/.emacs.d/early-init.el
> M-x flymake-mode
>
> Produces a warning:
>
> Disabling elisp-flymake-byte-compile in early-init.el (untrusted content)
>
> custom-file (when not the same as user-init-file) also causes a
> warning. Should these also be trusted by default?
No, not IMO. Please add those files you know you can trust to the
list of trusted files, and let's see if that works well for you. If,
after you have used that for some time, you have observations to
report or changes to suggest, please do, but let's please base such
observations on some sufficiently significant (read: long enough)
experience.
> What about files put in place by a system admin or your distro’s
> Emacs package (e.g. site-run-file, default.el)? They generally
> require root priviledges to install so if they can’t be trusted
> you’re already in trouble.
On my system, these files do not need any admin privileges, so I don't
think we should trust them by default. Users who know that these
files are modified only by trusted admins can and probably should add
them to the list of trusted files, if they need that (in general,
there should be no need to run Flymake in those files, in which case
these files don't need to be added even if they are trusted).
Btw, if we are talking about trusted admins, then entire directories
should be trusted, for example /usr/share or /usr/share/emacs.
There's a reason why we didn't do that by default.
next prev parent reply other threads:[~2024-12-22 6:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-21 20:48 bug#75017: 31.0.50; Untrusted user lisp files john muhl
2024-12-22 2:47 ` Stefan Kangas
2024-12-22 3:16 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-22 6:12 ` Eli Zaretskii
2024-12-22 17:36 ` Stefan Kangas
2024-12-22 18:41 ` Eli Zaretskii
2024-12-22 18:47 ` Drew Adams via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-22 6:19 ` Eli Zaretskii [this message]
2024-12-22 17:20 ` Stefan Kangas
2024-12-22 18:38 ` Eli Zaretskii
2024-12-22 19:52 ` Dmitry Gutov
2024-12-22 20:23 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86frmg6xzf.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=75017@debbugs.gnu.org \
--cc=jm@pub.pink \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).