bug#61901: 30.0.50; [PATCH] Add permanently-enabled-local-variable-dirs variable.

bug#61901: 30.0.50; [PATCH] Add permanently-enabled-local-variable-dirs variable.

[Antero Mejr via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Attachment #1: Type: text/plain, Size: 370 bytes --]


This patch allows users to trust directories to load dir-local variables
from, so they don't have to do something lile this:
(defun risky-local-variable-p (sym &optional _ignored) nil)
as suggested here:
https://emacs.stackexchange.com/questions/10983/remember-permission-to-execute-risky-local-variables

It also works over TRAMP if enable-remote-dir-locals is true.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Add-permanently-enabled-local-variable-dirs-variable.patch --]
[-- Type: text/x-patch, Size: 6857 bytes --]

From 93494f5beb4b51d989ea87755c077379458ffb04 Mon Sep 17 00:00:00 2001
From: Antero Mejr <antero@mailbox.org>
Date: Wed, 1 Mar 2023 21:59:57 +0000
Subject: [PATCH] Add permanently-enabled-local-variable-dirs variable.

This variable can be set to automatically load risky dir-local variables from
a list of trusted directories.

* lisp/emacs-lisp/files.el (permanently-enabled-local-variable-dirs,
hack-local-variables-filter, hack-local-variables-confirm): New variable and
associated logic.
* test/lisp/files-tests.el
(files-tests-permanently-enabled-local-variable-dirs): Add tests for same.
* doc/lispref/variables.texi (File Local Variables): Add documentation for
same.
* etc/NEWS (Lisp Changes in Emacs 30.1): Add news entry for same.
---
 doc/lispref/variables.texi |  6 ++++++
 etc/NEWS                   |  5 +++++
 lisp/files.el              | 27 ++++++++++++++++++++++-----
 test/lisp/files-tests.el   | 22 ++++++++++++++++++++++
 4 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/doc/lispref/variables.texi b/doc/lispref/variables.texi
index 5584cbce9a6..47cfb824dcb 100644
--- a/doc/lispref/variables.texi
+++ b/doc/lispref/variables.texi
@@ -1974,6 +1974,12 @@ File Local Variables
 symbols.
 @end defvar
 
+@defvar permanently-enabled-local-variable-dirs
+This is a list of trusted directories that contain local variables.
+Local variables in these directories will always be enabled, regardless
+of whether they are risky.
+@end defvar
+
 @defun hack-local-variables &optional handle-mode
 This function parses, and binds or evaluates as appropriate, any local
 variables specified by the contents of the current buffer.  The variable
diff --git a/etc/NEWS b/etc/NEWS
index 31fb22fc1e2..cc5198a903b 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -238,6 +238,11 @@ hooks named after the feature name, like 'esh-mode-unload-hook'.
 \f
 * Lisp Changes in Emacs 30.1
 
++++
+** New variable 'permanently-enabled-local-variable-dirs'.
+This variable is used to to permanently trust directories containing
+risky directory-local variables.
+
 ** Functions and variables to transpose sexps
 
 +++
diff --git a/lisp/files.el b/lisp/files.el
index 387a3b5dc66..bde126375ae 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -681,7 +681,8 @@ enable-local-variables
 always obeys file local variable specifications and the -*- line,
 and ignores this variable.
 
-Also see the `permanently-enabled-local-variables' variable."
+Also see the `permanently-enabled-local-variables' and
+'permanently-enabled-local-variable-dirs' variables."
   :risky t
   :type '(choice (const :tag "Query Unsafe" t)
 		 (const :tag "Safe Only" :safe)
@@ -3692,6 +3693,14 @@ permanently-enabled-local-variables
   "A list of file-local variables that are always enabled.
 This overrides any `enable-local-variables' setting.")
 
+(defcustom permanently-enabled-local-variable-dirs '()
+  "A list of directories that contain local variables that are always
+enabled, regardless of whether they are risky."
+  :version "30.1"
+  :type '(repeat string)
+  :risky t
+  :group 'find-file)
+
 (defun hack-local-variables-confirm (all-vars unsafe-vars risky-vars dir-name)
   "Get confirmation before setting up local variable values.
 ALL-VARS is the list of all variables to be set up.
@@ -3730,7 +3739,9 @@ hack-local-variables-confirm
 !  -- to apply the local variables list, and permanently mark these
       values (*) as safe (in the future, they will be set automatically.)
 i  -- to ignore the local variables list, and permanently mark these
-      values (*) as ignored\n\n")
+      values (*) as ignored
++  -- to apply the local variables list, and permanently trust "
+                    name "\n\n")
 	  (insert "\n\n"))
 	(dolist (elt all-vars)
 	  (cond ((member elt unsafe-vars)
@@ -3754,7 +3765,7 @@ hack-local-variables-confirm
 	(pop-to-buffer buf '(display-buffer--maybe-at-bottom))
 	(let* ((exit-chars '(?y ?n ?\s))
 	       (prompt (format "Please type %s%s: "
-			       (if offer-save "y, n, ! or i" "y or n")
+			       (if offer-save "y, n, !, i, or +" "y or n")
 			       (if (< (line-number-at-pos (point-max))
 				      (window-body-height))
 				   ""
@@ -3762,8 +3773,13 @@ hack-local-variables-confirm
 	       char)
 	  (when offer-save
             (push ?i exit-chars)
-            (push ?! exit-chars))
+            (push ?! exit-chars)
+            (push ?+ exit-chars))
 	  (setq char (read-char-choice prompt exit-chars))
+          (when (and offer-save (= char ?+))
+            (customize-push-and-save
+             'permanently-enabled-local-variable-dirs
+             (list dir-name)))
 	  (when (and offer-save
                      (or (= char ?!) (= char ?i))
                      unsafe-vars)
@@ -3772,7 +3788,7 @@ hack-local-variables-confirm
                  'safe-local-variable-values
                'ignored-local-variable-values)
              unsafe-vars))
-	  (prog1 (memq char '(?! ?\s ?y))
+	  (prog1 (memq char '(?! ?\s ?y ?+))
 	    (quit-window t)))))))
 
 (defconst hack-local-variable-regexp
@@ -3904,6 +3920,7 @@ hack-local-variables-filter
 		  (null unsafe-vars)
 		  (null risky-vars))
 	     (memq enable-local-variables '(:all :safe))
+             (member dir-name permanently-enabled-local-variable-dirs)
 	     (hack-local-variables-confirm all-vars unsafe-vars
 					   risky-vars dir-name))
 	 (dolist (elt all-vars)
diff --git a/test/lisp/files-tests.el b/test/lisp/files-tests.el
index aadb60e1de7..95eaf9a6bd0 100644
--- a/test/lisp/files-tests.el
+++ b/test/lisp/files-tests.el
@@ -166,6 +166,28 @@ files-tests-permanent-local-variables
       (hack-local-variables)
       (should (eq lexical-binding nil)))))
 
+(ert-deftest files-tests-permanently-enabled-local-variable-dirs ()
+  ;; permanently-enabled-local-variable-dirs should be risky,
+  ;; so use it as an arbitrary risky variable.
+  (let ((test-alist '((permanently-enabled-local-variable-dirs
+                       . "some_val")))
+        (fakedir "test1/test2")
+        (enable-local-eval t))
+    (with-temp-buffer
+      (setq permanently-enabled-local-variable-dirs (list fakedir))
+      (hack-local-variables-filter test-alist fakedir)
+      (should (equal file-local-variables-alist test-alist)))
+    (with-temp-buffer
+      (setq permanently-enabled-local-variable-dirs (list fakedir))
+      (setq noninteractive t)
+      (hack-local-variables-filter test-alist "wrong")
+      (should-not (equal file-local-variables-alist test-alist)))
+    (with-temp-buffer
+      (setq permanently-enabled-local-variable-dirs '())
+      (setq noninteractive t)
+      (hack-local-variables-filter test-alist fakedir)
+      (should-not (equal file-local-variables-alist test-alist)))))
+
 (defvar files-test-bug-18141-file
   (ert-resource-file "files-bug18141.el.gz")
   "Test file for bug#18141.")
-- 
2.38.1

bug#61901: 30.0.50; [PATCH] Add permanently-enabled-local-variable-dirs variable.

[Eli Zaretskii]

> Date: Wed, 01 Mar 2023 22:20:33 +0000
> From:  Antero Mejr via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
> 
> This patch allows users to trust directories to load dir-local variables
> from, so they don't have to do something lile this:
> (defun risky-local-variable-p (sym &optional _ignored) nil)
> as suggested here:
> https://emacs.stackexchange.com/questions/10983/remember-permission-to-execute-risky-local-variables
> 
> It also works over TRAMP if enable-remote-dir-locals is true.

Thanks, IMO this is a very useful feature.

> --- a/doc/lispref/variables.texi
> +++ b/doc/lispref/variables.texi
> @@ -1974,6 +1974,12 @@ File Local Variables
>  symbols.
>  @end defvar
>  
> +@defvar permanently-enabled-local-variable-dirs
> +This is a list of trusted directories that contain local variables.
> +Local variables in these directories will always be enabled, regardless
> +of whether they are risky.
> +@end defvar

This should explicitly allude to the '.dir-locals.el' files in those
directories, since otherwise talking about "directories that contain
variables" could be confusing.

I also suggest to rename the variable to something like
'permanently-safe-local-variable-directories', or maybe just
'safe-local-variable-directories' which IMO should express the purpose
better.

> -Also see the `permanently-enabled-local-variables' variable."
> +Also see the `permanently-enabled-local-variables' and
> +'permanently-enabled-local-variable-dirs' variables."
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We quote `like this' in doc strings, to produce links in the *Help*
buffers.

> +(defcustom permanently-enabled-local-variable-dirs '()
> +  "A list of directories that contain local variables that are always
> +enabled, regardless of whether they are risky."

The first line of a doc string should be a single complete sentence.
(This is because the various apropos commands show only the first line
of the doc string.)

> @@ -3730,7 +3739,9 @@ hack-local-variables-confirm
>  !  -- to apply the local variables list, and permanently mark these
>        values (*) as safe (in the future, they will be set automatically.)
>  i  -- to ignore the local variables list, and permanently mark these
> -      values (*) as ignored\n\n")
> +      values (*) as ignored
> ++  -- to apply the local variables list, and permanently trust "
> +                    name "\n\n")

"permanently trust name" sounds confusing (what is "name"?).  How
about this variant:

  +  -- to apply the local variables list, and permanently trust
        all directory-local variables in this directory

> @@ -3762,8 +3773,13 @@ hack-local-variables-confirm
>  	       char)
>  	  (when offer-save
>              (push ?i exit-chars)
> -            (push ?! exit-chars))
> +            (push ?! exit-chars)
> +            (push ?+ exit-chars))
>  	  (setq char (read-char-choice prompt exit-chars))
> +          (when (and offer-save (= char ?+))
> +            (customize-push-and-save
> +             'permanently-enabled-local-variable-dirs
> +             (list dir-name)))

Bother: AFAIU here we modify the user's custom file without asking for
an explicit permission.  Should we ask for permission?

Last, but not least: this change is larger than what we can accept
without you assigning to FSF the copyright for your changes, and I
don't see any copyright assignment in your name on file.  Would you be
willing to do the legal paperwork for such an assignment?  If yes, I
will send you the form to start the paperwork rolling; when it is
completed, we can install your changes.

Thanks.

bug#61901: 30.0.50; [PATCH] Add permanently-enabled-local-variable-dirs variable.

[Antero Mejr via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: v2-0001-Add-safe-local-variable-directories-variable.patch --]
[-- Type: text/x-patch, Size: 6891 bytes --]

From fa06d54fa49e4da536522e798f8c150d65bccf23 Mon Sep 17 00:00:00 2001
From: Antero Mejr <antero@mailbox.org>
Date: Wed, 1 Mar 2023 21:59:57 +0000
Subject: [PATCH v2] Add safe-local-variable-directories variable.

This variable can be set to automatically load risky dir-local variables from
a list of trusted directories.

* lisp/emacs-lisp/files.el (safe-local-variable-directories,
hack-local-variables-filter, hack-local-variables-confirm): New variable and
associated logic.
* test/lisp/files-tests.el
(files-tests-safe-local-variable-directories): Add tests for same.
* doc/lispref/variables.texi (File Local Variables): Add documentation for
same.
* etc/NEWS (Lisp Changes in Emacs 30.1): Add news entry for same.
---
 doc/lispref/variables.texi |  7 +++++++
 etc/NEWS                   |  5 +++++
 lisp/files.el              | 27 ++++++++++++++++++++++-----
 test/lisp/files-tests.el   | 21 +++++++++++++++++++++
 4 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/doc/lispref/variables.texi b/doc/lispref/variables.texi
index 5584cbce9a6..93243dcb3c0 100644
--- a/doc/lispref/variables.texi
+++ b/doc/lispref/variables.texi
@@ -1974,6 +1974,13 @@ File Local Variables
 symbols.
 @end defvar
 
+@defvar safe-local-variable-directories
+This is a list of directories where local variables are always enabled.
+Directory-local variables loaded from these directories, such as the
+variables in @file{.dir-locals.el}, will be enabled even if they are
+risky.
+@end defvar
+
 @defun hack-local-variables &optional handle-mode
 This function parses, and binds or evaluates as appropriate, any local
 variables specified by the contents of the current buffer.  The variable
diff --git a/etc/NEWS b/etc/NEWS
index 31fb22fc1e2..249dcb92889 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -238,6 +238,11 @@ hooks named after the feature name, like 'esh-mode-unload-hook'.
 \f
 * Lisp Changes in Emacs 30.1
 
++++
+** New variable 'safe-local-variable-directories'.
+This variable is used to to permanently trust directories containing
+risky directory-local variables.
+
 ** Functions and variables to transpose sexps
 
 +++
diff --git a/lisp/files.el b/lisp/files.el
index 387a3b5dc66..a7aea449e09 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -681,7 +681,8 @@ enable-local-variables
 always obeys file local variable specifications and the -*- line,
 and ignores this variable.
 
-Also see the `permanently-enabled-local-variables' variable."
+Also see the `permanently-enabled-local-variables' and
+`safe-local-variable-directories' variables."
   :risky t
   :type '(choice (const :tag "Query Unsafe" t)
 		 (const :tag "Safe Only" :safe)
@@ -3692,6 +3693,15 @@ permanently-enabled-local-variables
   "A list of file-local variables that are always enabled.
 This overrides any `enable-local-variables' setting.")
 
+(defcustom safe-local-variable-directories '()
+  "A list of directories where local variables are always enabled.
+Directory-local variables loaded from these directories, such as the
+variables in .dir-locals.el, will be enabled even if they are risky."
+  :version "30.1"
+  :type '(repeat string)
+  :risky t
+  :group 'find-file)
+
 (defun hack-local-variables-confirm (all-vars unsafe-vars risky-vars dir-name)
   "Get confirmation before setting up local variable values.
 ALL-VARS is the list of all variables to be set up.
@@ -3730,7 +3740,9 @@ hack-local-variables-confirm
 !  -- to apply the local variables list, and permanently mark these
       values (*) as safe (in the future, they will be set automatically.)
 i  -- to ignore the local variables list, and permanently mark these
-      values (*) as ignored\n\n")
+      values (*) as ignored
++  -- to apply the local variables list, and permanently trust all
+      directory-local variables in this directory\n\n")
 	  (insert "\n\n"))
 	(dolist (elt all-vars)
 	  (cond ((member elt unsafe-vars)
@@ -3754,7 +3766,7 @@ hack-local-variables-confirm
 	(pop-to-buffer buf '(display-buffer--maybe-at-bottom))
 	(let* ((exit-chars '(?y ?n ?\s))
 	       (prompt (format "Please type %s%s: "
-			       (if offer-save "y, n, ! or i" "y or n")
+			       (if offer-save "y, n, !, i, or +" "y or n")
 			       (if (< (line-number-at-pos (point-max))
 				      (window-body-height))
 				   ""
@@ -3762,8 +3774,12 @@ hack-local-variables-confirm
 	       char)
 	  (when offer-save
             (push ?i exit-chars)
-            (push ?! exit-chars))
+            (push ?! exit-chars)
+            (push ?+ exit-chars))
 	  (setq char (read-char-choice prompt exit-chars))
+          (when (and offer-save (= char ?+))
+            (customize-push-and-save 'safe-local-variable-directories
+                                     (list dir-name)))
 	  (when (and offer-save
                      (or (= char ?!) (= char ?i))
                      unsafe-vars)
@@ -3772,7 +3788,7 @@ hack-local-variables-confirm
                  'safe-local-variable-values
                'ignored-local-variable-values)
              unsafe-vars))
-	  (prog1 (memq char '(?! ?\s ?y))
+	  (prog1 (memq char '(?! ?\s ?y ?+))
 	    (quit-window t)))))))
 
 (defconst hack-local-variable-regexp
@@ -3904,6 +3920,7 @@ hack-local-variables-filter
 		  (null unsafe-vars)
 		  (null risky-vars))
 	     (memq enable-local-variables '(:all :safe))
+             (member dir-name safe-local-variable-directories)
 	     (hack-local-variables-confirm all-vars unsafe-vars
 					   risky-vars dir-name))
 	 (dolist (elt all-vars)
diff --git a/test/lisp/files-tests.el b/test/lisp/files-tests.el
index aadb60e1de7..af74a8b1ecf 100644
--- a/test/lisp/files-tests.el
+++ b/test/lisp/files-tests.el
@@ -166,6 +166,27 @@ files-tests-permanent-local-variables
       (hack-local-variables)
       (should (eq lexical-binding nil)))))
 
+(ert-deftest files-tests-safe-local-variable-directories ()
+  ;; safe-local-variable-directories should be risky,
+  ;; so use it as an arbitrary risky variable.
+  (let ((test-alist '((safe-local-variable-directories . "some_val")))
+        (fakedir "test1/test2")
+        (enable-local-eval t))
+    (with-temp-buffer
+      (setq safe-local-variable-directories (list fakedir))
+      (hack-local-variables-filter test-alist fakedir)
+      (should (equal file-local-variables-alist test-alist)))
+    (with-temp-buffer
+      (setq safe-local-variable-directories (list fakedir))
+      (setq noninteractive t)
+      (hack-local-variables-filter test-alist "wrong")
+      (should-not (equal file-local-variables-alist test-alist)))
+    (with-temp-buffer
+      (setq safe-local-variable-directories '())
+      (setq noninteractive t)
+      (hack-local-variables-filter test-alist fakedir)
+      (should-not (equal file-local-variables-alist test-alist)))))
+
 (defvar files-test-bug-18141-file
   (ert-resource-file "files-bug18141.el.gz")
   "Test file for bug#18141.")
-- 
2.38.1


[-- Attachment #2: Type: text/plain, Size: 1882 bytes --]


Eli Zaretskii <eliz@gnu.org> writes:
> This should explicitly allude to the '.dir-locals.el' files in those
> directories, since otherwise talking about "directories that contain
> variables" could be confusing.

Fixed in v2.

> I also suggest to rename the variable to something like
> 'permanently-safe-local-variable-directories', or maybe just
> 'safe-local-variable-directories' which IMO should express the purpose
> better.

I like 'safe-local-variable-directories', updated to use that.

> We quote `like this' in doc strings, to produce links in the *Help*
> buffers.

Fixed.

> The first line of a doc string should be a single complete sentence.
> (This is because the various apropos commands show only the first line
> of the doc string.)

Fixed.

> "permanently trust name" sounds confusing (what is "name"?).  How
> about this variant:
>
>   +  -- to apply the local variables list, and permanently trust
>         all directory-local variables in this directory

"name" is a variable that gets expanded to the directory name, but it's
redundant since it's already listed at the top. Updated to use your variant.

> Bother: AFAIU here we modify the user's custom file without asking for
> an explicit permission.  Should we ask for permission?

IMO they give sufficient permission when the use the "+" option.

> Last, but not least: this change is larger than what we can accept
> without you assigning to FSF the copyright for your changes, and I
> don't see any copyright assignment in your name on file.  Would you be
> willing to do the legal paperwork for such an assignment?  If yes, I
> will send you the form to start the paperwork rolling; when it is
> completed, we can install your changes.

I sent the request-assign.future doc to the FSF assignment email earlier
today, feel free to send me paperwork and I will fill it out.

Thank you for the review.

bug#61901: 30.0.50; [PATCH] Add permanently-enabled-local-variable-dirs variable.

[Eli Zaretskii]

> From: Antero Mejr <antero@mailbox.org>
> Cc: Antero Mejr <antero@mailbox.org>, 61901@debbugs.gnu.org
> Date: Thu, 02 Mar 2023 17:09:51 +0000
> 
> I sent the request-assign.future doc to the FSF assignment email earlier
> today, feel free to send me paperwork and I will fill it out.

That should be enough.  If they don't respond within two weeks, ping
them and CC me.

Thanks.

bug#61901: 30.0.50; [PATCH] Add permanently-enabled-local-variable-dirs variable.

[Antero Mejr via Bug reports for GNU Emacs, the Swiss army knife of text editors]

Eli Zaretskii <eliz@gnu.org> writes:
>> I sent the request-assign.future doc to the FSF assignment email earlier
>> today, feel free to send me paperwork and I will fill it out.
>
> That should be enough.  If they don't respond within two weeks, ping
> them and CC me.

I signed and returned the full copyright assignment paperwork last week,
so I assume that my copyright assignment is on file now.

Let me know if this patch needs a v3 or if there is anything else before it
can be applied, thanks.

bug#61901: 30.0.50; [PATCH] Add permanently-enabled-local-variable-dirs variable.

[Eli Zaretskii]

> From: Antero Mejr <antero@mailbox.org>
> Cc: 61901@debbugs.gnu.org
> Date: Tue, 14 Mar 2023 18:46:24 +0000
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> >> I sent the request-assign.future doc to the FSF assignment email earlier
> >> today, feel free to send me paperwork and I will fill it out.
> >
> > That should be enough.  If they don't respond within two weeks, ping
> > them and CC me.
> 
> I signed and returned the full copyright assignment paperwork last week,
> so I assume that my copyright assignment is on file now.

It isn't, not yet.  You should receive another email with the
assignment counter-signed by the FSF, and then it will be added to the
DB.

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Antero Mejr via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Attachment #1: Type: text/plain, Size: 266 bytes --]


Updated safe-local-variable-directories patch onto master and added bug
number to commit message.

Also should I use git --reroll-count to make v2 patches, v3, etc?  If so
then I included another patch to gitignore rerolled patches, otherwise
please disregard it.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: v3-0001-Add-safe-local-variable-directories-variable.patch --]
[-- Type: text/x-patch, Size: 7180 bytes --]

From 21506c01f72b10fb69ede16333e4970c0c402851 Mon Sep 17 00:00:00 2001
From: Antero Mejr <antero@mailbox.org>
Date: Tue, 25 Apr 2023 15:30:16 +0000
Subject: [PATCH v3] Add safe-local-variable-directories variable.

This variable can be set to automatically load risky dir-local
variables from a list of trusted directories.

* lisp/emacs-lisp/files.el (safe-local-variable-directories,
hack-local-variables-filter, hack-local-variables-confirm): New
variable and associated logic.
* test/lisp/files-tests.el
(files-tests-safe-local-variable-directories): Add tests for same.
* doc/lispref/variables.texi (File Local Variables): Add documentation
for same.
* etc/NEWS (Lisp Changes in Emacs 30.1): Add news entry for
same.  (Bug#61901)
---
 doc/lispref/variables.texi |  7 +++++++
 etc/NEWS                   |  5 +++++
 lisp/files.el              | 27 ++++++++++++++++++++++-----
 test/lisp/files-tests.el   | 21 +++++++++++++++++++++
 4 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/doc/lispref/variables.texi b/doc/lispref/variables.texi
index eadb5c36de6..7df41a7c997 100644
--- a/doc/lispref/variables.texi
+++ b/doc/lispref/variables.texi
@@ -1977,6 +1977,13 @@ this can be controlled by using this variable, which is a list of
 symbols.
 @end defvar
 
+@defvar safe-local-variable-directories
+This is a list of directories where local variables are always enabled.
+Directory-local variables loaded from these directories, such as the
+variables in @file{.dir-locals.el}, will be enabled even if they are
+risky.
+@end defvar
+
 @defun hack-local-variables &optional handle-mode
 This function parses, and binds or evaluates as appropriate, any local
 variables specified by the contents of the current buffer.  The variable
diff --git a/etc/NEWS b/etc/NEWS
index d39343b8bd4..4eb3ab27139 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -375,6 +375,11 @@ hooks named after the feature name, like 'esh-mode-unload-hook'.
 \f
 * Lisp Changes in Emacs 30.1
 
++++
+** New variable 'safe-local-variable-directories'.
+This variable is used to to permanently trust directories containing
+risky directory-local variables.
+
 ** New variable 'inhibit-auto-fill' to temporarily prevent auto-fill.
 
 ** Functions and variables to transpose sexps
diff --git a/lisp/files.el b/lisp/files.el
index c6f53e5eaf8..3152fc61d9d 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -681,7 +681,8 @@ The command \\[normal-mode], when used interactively,
 always obeys file local variable specifications and the -*- line,
 and ignores this variable.
 
-Also see the `permanently-enabled-local-variables' variable."
+Also see the `permanently-enabled-local-variables' and
+`safe-local-variable-directories' variables."
   :risky t
   :type '(choice (const :tag "Query Unsafe" t)
 		 (const :tag "Safe Only" :safe)
@@ -3696,6 +3697,15 @@ variable to set.")
   "A list of file-local variables that are always enabled.
 This overrides any `enable-local-variables' setting.")
 
+(defcustom safe-local-variable-directories '()
+  "A list of directories where local variables are always enabled.
+Directory-local variables loaded from these directories, such as the
+variables in .dir-locals.el, will be enabled even if they are risky."
+  :version "30.1"
+  :type '(repeat string)
+  :risky t
+  :group 'find-file)
+
 (defun hack-local-variables-confirm (all-vars unsafe-vars risky-vars dir-name)
   "Get confirmation before setting up local variable values.
 ALL-VARS is the list of all variables to be set up.
@@ -3734,7 +3744,9 @@ n  -- to ignore the local variables list.")
 !  -- to apply the local variables list, and permanently mark these
       values (*) as safe (in the future, they will be set automatically.)
 i  -- to ignore the local variables list, and permanently mark these
-      values (*) as ignored\n\n")
+      values (*) as ignored
++  -- to apply the local variables list, and permanently trust all
+      directory-local variables in this directory\n\n")
 	  (insert "\n\n"))
 	(dolist (elt all-vars)
 	  (cond ((member elt unsafe-vars)
@@ -3758,7 +3770,7 @@ i  -- to ignore the local variables list, and permanently mark these
 	(pop-to-buffer buf '(display-buffer--maybe-at-bottom))
 	(let* ((exit-chars '(?y ?n ?\s))
 	       (prompt (format "Please type %s%s: "
-			       (if offer-save "y, n, ! or i" "y or n")
+			       (if offer-save "y, n, !, i, or +" "y or n")
 			       (if (< (line-number-at-pos (point-max))
 				      (window-body-height))
 				   ""
@@ -3766,8 +3778,12 @@ i  -- to ignore the local variables list, and permanently mark these
 	       char)
 	  (when offer-save
             (push ?i exit-chars)
-            (push ?! exit-chars))
+            (push ?! exit-chars)
+            (push ?+ exit-chars))
 	  (setq char (read-char-choice prompt exit-chars))
+          (when (and offer-save (= char ?+))
+            (customize-push-and-save 'safe-local-variable-directories
+                                     (list dir-name)))
 	  (when (and offer-save
                      (or (= char ?!) (= char ?i))
                      unsafe-vars)
@@ -3776,7 +3792,7 @@ i  -- to ignore the local variables list, and permanently mark these
                  'safe-local-variable-values
                'ignored-local-variable-values)
              unsafe-vars))
-	  (prog1 (memq char '(?! ?\s ?y))
+	  (prog1 (memq char '(?! ?\s ?y ?+))
 	    (quit-window t)))))))
 
 (defconst hack-local-variable-regexp
@@ -3908,6 +3924,7 @@ DIR-NAME is the name of the associated directory.  Otherwise it is nil."
 		  (null unsafe-vars)
 		  (null risky-vars))
 	     (memq enable-local-variables '(:all :safe))
+             (member dir-name safe-local-variable-directories)
 	     (hack-local-variables-confirm all-vars unsafe-vars
 					   risky-vars dir-name))
 	 (dolist (elt all-vars)
diff --git a/test/lisp/files-tests.el b/test/lisp/files-tests.el
index aadb60e1de7..af74a8b1ecf 100644
--- a/test/lisp/files-tests.el
+++ b/test/lisp/files-tests.el
@@ -166,6 +166,27 @@ form.")
       (hack-local-variables)
       (should (eq lexical-binding nil)))))
 
+(ert-deftest files-tests-safe-local-variable-directories ()
+  ;; safe-local-variable-directories should be risky,
+  ;; so use it as an arbitrary risky variable.
+  (let ((test-alist '((safe-local-variable-directories . "some_val")))
+        (fakedir "test1/test2")
+        (enable-local-eval t))
+    (with-temp-buffer
+      (setq safe-local-variable-directories (list fakedir))
+      (hack-local-variables-filter test-alist fakedir)
+      (should (equal file-local-variables-alist test-alist)))
+    (with-temp-buffer
+      (setq safe-local-variable-directories (list fakedir))
+      (setq noninteractive t)
+      (hack-local-variables-filter test-alist "wrong")
+      (should-not (equal file-local-variables-alist test-alist)))
+    (with-temp-buffer
+      (setq safe-local-variable-directories '())
+      (setq noninteractive t)
+      (hack-local-variables-filter test-alist fakedir)
+      (should-not (equal file-local-variables-alist test-alist)))))
+
 (defvar files-test-bug-18141-file
   (ert-resource-file "files-bug18141.el.gz")
   "Test file for bug#18141.")
-- 
2.39.2


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0001-Ignore-rerolled-patches.patch --]
[-- Type: text/x-patch, Size: 608 bytes --]

From e847ad3f782304f210c318502da031d8a810834f Mon Sep 17 00:00:00 2001
From: Antero Mejr <antero@mailbox.org>
Date: Tue, 25 Apr 2023 15:33:18 +0000
Subject: [PATCH] Ignore rerolled patches.

* .gitignore (Version control and locks): Ignore .patch files that
start with "v" and a number 0-99.
---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index b09a0c030b3..139eb49ba41 100644
--- a/.gitignore
+++ b/.gitignore
@@ -283,6 +283,8 @@ gnustmp*
 \#*\#
 ChangeLog
 [0-9]*.patch
+v[0-9]-[0-9]*.patch
+v[0-9][0-9]-[0-9]*.patch
 [0-9]*.txt
 /vc-dwim-log-*
 
-- 
2.39.2

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Eli Zaretskii]

> Date: Tue, 25 Apr 2023 16:40:07 +0000
> From:  Antero Mejr via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
> 
> Updated safe-local-variable-directories patch onto master and added bug
> number to commit message.

Thanks, see some comments below.

> Also should I use git --reroll-count to make v2 patches, v3, etc?

You don't have to.  The version part is removed by "git am" anyway,
and it is not important for patch review here.

> --- a/doc/lispref/variables.texi
> +++ b/doc/lispref/variables.texi
> @@ -1977,6 +1977,13 @@ this can be controlled by using this variable, which is a list of
>  symbols.
>  @end defvar
>  
> +@defvar safe-local-variable-directories
> +This is a list of directories where local variables are always enabled.
> +Directory-local variables loaded from these directories, such as the
> +variables in @file{.dir-locals.el}, will be enabled even if they are
> +risky.
> +@end defvar

This variable should also be documented in the Emacs user manual, not
only in the ELisp Reference manual -- it's a user option, and a very
important one at that.

> ++++
> +** New variable 'safe-local-variable-directories'.
> +This variable is used to to permanently trust directories containing
> +risky directory-local variables.

I would rephrase:

  This variable names directories in which Emacs will treat all
  directory-local variables as safe.

>  ALL-VARS is the list of all variables to be set up.
> @@ -3734,7 +3744,9 @@ n  -- to ignore the local variables list.")
>  !  -- to apply the local variables list, and permanently mark these
>        values (*) as safe (in the future, they will be set automatically.)
>  i  -- to ignore the local variables list, and permanently mark these
> -      values (*) as ignored\n\n")
> +      values (*) as ignored
> ++  -- to apply the local variables list, and permanently trust all
> +      directory-local variables in this directory\n\n")

I would remove the "permanently" part, it would just confuse here.

> @@ -3908,6 +3924,7 @@ DIR-NAME is the name of the associated directory.  Otherwise it is nil."
>  		  (null unsafe-vars)
>  		  (null risky-vars))
>  	     (memq enable-local-variables '(:all :safe))
> +             (member dir-name safe-local-variable-directories)

If you use 'member' for this test, then (a) the documentation of
safe-local-variable-directories should explicitly say that the
directories in the list must be in full absolute form, and (b) we
should consider the various issues with file names that are not
'equal' as strings, but still name the same directory, such as
letter-case differences on case-insensitive filesystems.  And what
about equality of "foo/" "and "foo"?

Also, is 'dir-name' above guaranteed to be a fully-expanded absolute
file name?

> +(ert-deftest files-tests-safe-local-variable-directories ()
> +  ;; safe-local-variable-directories should be risky,
> +  ;; so use it as an arbitrary risky variable.
> +  (let ((test-alist '((safe-local-variable-directories . "some_val")))
> +        (fakedir "test1/test2")
> +        (enable-local-eval t))
> +    (with-temp-buffer
> +      (setq safe-local-variable-directories (list fakedir))

The test should use absolute directory names for directories you put
into safe-local-variable-directories.

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Antero Mejr via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Attachment #1: Type: text/plain, Size: 3136 bytes --]


>> +@defvar safe-local-variable-directories
>> +This is a list of directories where local variables are always enabled.
>> +Directory-local variables loaded from these directories, such as the
>> +variables in @file{.dir-locals.el}, will be enabled even if they are
>> +risky.
>> +@end defvar
>
>This variable should also be documented in the Emacs user manual, not
>only in the ELisp Reference manual -- it's a user option, and a very
>important one at that.

Added to the manual in custom.texi "Safe File Variables" subsection.

>> ++++
>> +** New variable 'safe-local-variable-directories'.
>> +This variable is used to to permanently trust directories containing
>> +risky directory-local variables.
>
>I would rephrase:
>
>  This variable names directories in which Emacs will treat all
>  directory-local variables as safe.

Fixed in attached patch.

>>  ALL-VARS is the list of all variables to be set up.
>> @@ -3734,7 +3744,9 @@ n  -- to ignore the local variables list.")
>>  !  -- to apply the local variables list, and permanently mark these
>>        values (*) as safe (in the future, they will be set automatically.)
>>  i  -- to ignore the local variables list, and permanently mark these
>> -      values (*) as ignored\n\n")
>> +      values (*) as ignored
>> ++  -- to apply the local variables list, and permanently trust all
>> +      directory-local variables in this directory\n\n")
>
>I would remove the "permanently" part, it would just confuse here.

Fixed.

>> @@ -3908,6 +3924,7 @@ DIR-NAME is the name of the associated directory.  
>> Otherwise it is nil."
>>                 (null unsafe-vars)
>>                 (null risky-vars))
>>            (memq enable-local-variables '(:all :safe))
>> +             (member dir-name safe-local-variable-directories)
>
>If you use 'member' for this test, then (a) the documentation of
>safe-local-variable-directories should explicitly say that the
>directories in the list must be in full absolute form, and (b) we
>should consider the various issues with file names that are not
>'equal' as strings, but still name the same directory, such as
>letter-case differences on case-insensitive filesystems.  And what
>about equality of "foo/" "and "foo"?

Clarified the documentation. The directory path requires a trailing
separator, and is case-sensitive regardless of the filesystem (tested
on vFAT).

>Also, is 'dir-name' above guaranteed to be a fully-expanded absolute
>file name?

Yes. For TRAMP connections it's a string with text properties, but it's
the same equality-wise.

#("/ssh:user:/home/user/src/" 5 6 (tramp-default t))

>> +(ert-deftest files-tests-safe-local-variable-directories ()
>> +  ;; safe-local-variable-directories should be risky,
>> +  ;; so use it as an arbitrary risky variable.
>> +  (let ((test-alist '((safe-local-variable-directories . "some_val")))
>> +        (fakedir "test1/test2")
>> +        (enable-local-eval t))
>> +    (with-temp-buffer
>> +      (setq safe-local-variable-directories (list fakedir))
>
>The test should use absolute directory names for directories you put
>into safe-local-variable-directories.

Fixed.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Add-safe-local-variable-directories-variable.patch --]
[-- Type: text/x-patch, Size: 9984 bytes --]

From 4ecb9ebc01c856f896ed2fee110b491209e23c4e Mon Sep 17 00:00:00 2001
From: Antero Mejr <antero@mailbox.org>
Date: Tue, 9 May 2023 20:51:14 +0000
Subject: [PATCH] Add safe-local-variable-directories variable.

This variable can be set to automatically load risky dir-local
variables from a list of trusted directories.

* lisp/emacs-lisp/files.el (safe-local-variable-directories,
hack-local-variables-filter, hack-local-variables-confirm): New
variable and associated logic.
* test/lisp/files-tests.el
(files-tests-safe-local-variable-directories): Add tests for same.
* doc/emacs/custom.texi (Safe File Variables): Add documentation for
same.
* doc/lispref/variables.texi (File Local Variables): Add documentation
for same.
* etc/NEWS (Lisp Changes in Emacs 30.1): Add news entry for
same.  (Bug#61901)
---
 doc/emacs/custom.texi      | 22 ++++++++++++++++++++++
 doc/lispref/variables.texi | 12 ++++++++++++
 etc/NEWS                   |  5 +++++
 lisp/files.el              | 34 +++++++++++++++++++++++++++++-----
 test/lisp/files-tests.el   | 21 +++++++++++++++++++++
 5 files changed, 89 insertions(+), 5 deletions(-)

diff --git a/doc/emacs/custom.texi b/doc/emacs/custom.texi
index 87290734cc9..2ddd39be31f 100644
--- a/doc/emacs/custom.texi
+++ b/doc/emacs/custom.texi
@@ -1328,6 +1328,13 @@ pairs in the file, by typing @kbd{i} at the confirmation prompt --
 these pairs will thereafter be ignored in this file and in all other
 files.
 
+  For directory-local variable/value pairs
+(@pxref{Directory Variables}), typing @kbd{+} at the confirmation
+prompt will set all the variable/value pairs, and recognize all
+variables in that directory as safe in the future.  This option should
+only be used for directories whose contents you trust.  The @kbd{+}
+confirmation prompt option is not available for file-local variables.
+
 @vindex safe-local-variable-values
 @vindex ignored-local-variable-values
 @cindex risky variable
@@ -1344,6 +1351,21 @@ record safe values for risky variables, do it directly by customizing
 Similarly, if you want to record values of risky variables that should
 be permanently ignored, customize @code{ignored-local-variable-values}.
 
+@vindex safe-local-variable-directories
+  Sometimes it is helpful to always trust risky variables in a certain
+directory, and skip the confirmation prompt when directory-local
+variables are loaded there.  When @kbd{+} is pressed at the risky
+variable confirmation prompt, the directory in question is added to
+the @samp{safe-local-variable-directories} variable, and risky
+directory-local variables there will be loaded without prompting in
+the future.  If customizing @samp{safe-local-variable-directories}
+manually, the directories in this list must be fully-expanded absolute
+paths that end in a directory separator character.  Directory paths
+may be remote directory paths (@pxref{Remote Files}), if the
+@code{enable-remote-dir-locals} variable is set to @code{t}.
+Directory paths in this list are case-sensitive, even if the
+filesystem is not.
+
 @vindex enable-local-variables
   The variable @code{enable-local-variables} allows you to change the
 way Emacs processes local variables.  Its default value is @code{t},
diff --git a/doc/lispref/variables.texi b/doc/lispref/variables.texi
index eadb5c36de6..52a94db3703 100644
--- a/doc/lispref/variables.texi
+++ b/doc/lispref/variables.texi
@@ -1977,6 +1977,18 @@ this can be controlled by using this variable, which is a list of
 symbols.
 @end defvar
 
+@defvar safe-local-variable-directories
+This is a list of directories where local variables are always
+enabled.  Directory-local variables loaded from these directories,
+such as the variables in @file{.dir-locals.el}, will be enabled even
+if they are risky.  The directories in this list must be
+fully-expanded absolute paths that end in a directory separator
+character.  They may also be remote directory paths if the
+@code{enable-remote-dir-locals} variable is set to @code{t}.
+Directory paths in this list are case-sensitive, even if the
+filesystem is not.
+@end defvar
+
 @defun hack-local-variables &optional handle-mode
 This function parses, and binds or evaluates as appropriate, any local
 variables specified by the contents of the current buffer.  The variable
diff --git a/etc/NEWS b/etc/NEWS
index 3c71e52fff4..3bef9d2ed2a 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -380,6 +380,11 @@ hooks named after the feature name, like 'esh-mode-unload-hook'.
 \f
 * Lisp Changes in Emacs 30.1
 
++++
+** New variable 'safe-local-variable-directories'.
+This variable names directories in which Emacs will treat all
+directory-local variables as safe.
+
 ** New variable 'inhibit-auto-fill' to temporarily prevent auto-fill.
 
 ** Functions and variables to transpose sexps
diff --git a/lisp/files.el b/lisp/files.el
index c6f53e5eaf8..aa01e638c98 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -681,7 +681,8 @@ The command \\[normal-mode], when used interactively,
 always obeys file local variable specifications and the -*- line,
 and ignores this variable.
 
-Also see the `permanently-enabled-local-variables' variable."
+Also see the `permanently-enabled-local-variables' and
+`safe-local-variable-directories' variables."
   :risky t
   :type '(choice (const :tag "Query Unsafe" t)
 		 (const :tag "Safe Only" :safe)
@@ -3696,6 +3697,15 @@ variable to set.")
   "A list of file-local variables that are always enabled.
 This overrides any `enable-local-variables' setting.")
 
+(defcustom safe-local-variable-directories '()
+  "A list of directories where local variables are always enabled.
+Directory-local variables loaded from these directories, such as the
+variables in .dir-locals.el, will be enabled even if they are risky."
+  :version "30.1"
+  :type '(repeat string)
+  :risky t
+  :group 'find-file)
+
 (defun hack-local-variables-confirm (all-vars unsafe-vars risky-vars dir-name)
   "Get confirmation before setting up local variable values.
 ALL-VARS is the list of all variables to be set up.
@@ -3734,7 +3744,11 @@ n  -- to ignore the local variables list.")
 !  -- to apply the local variables list, and permanently mark these
       values (*) as safe (in the future, they will be set automatically.)
 i  -- to ignore the local variables list, and permanently mark these
-      values (*) as ignored\n\n")
+      values (*) as ignored"
+                    (if dir-name "
++  -- to apply the local variables list, and trust all directory-local
+      variables in this directory\n\n"
+                      "\n\n"))
 	  (insert "\n\n"))
 	(dolist (elt all-vars)
 	  (cond ((member elt unsafe-vars)
@@ -3758,7 +3772,11 @@ i  -- to ignore the local variables list, and permanently mark these
 	(pop-to-buffer buf '(display-buffer--maybe-at-bottom))
 	(let* ((exit-chars '(?y ?n ?\s))
 	       (prompt (format "Please type %s%s: "
-			       (if offer-save "y, n, ! or i" "y or n")
+			       (if offer-save
+                                   (if dir-name
+                                       "y, n, !, i, +"
+                                     "y, n, !, i")
+                                 "y or n")
 			       (if (< (line-number-at-pos (point-max))
 				      (window-body-height))
 				   ""
@@ -3766,8 +3784,13 @@ i  -- to ignore the local variables list, and permanently mark these
 	       char)
 	  (when offer-save
             (push ?i exit-chars)
-            (push ?! exit-chars))
+            (push ?! exit-chars)
+            (when dir-name
+              (push ?+ exit-chars)))
 	  (setq char (read-char-choice prompt exit-chars))
+          (when (and offer-save dir-name (= char ?+))
+            (customize-push-and-save 'safe-local-variable-directories
+                                     (list dir-name)))
 	  (when (and offer-save
                      (or (= char ?!) (= char ?i))
                      unsafe-vars)
@@ -3776,7 +3799,7 @@ i  -- to ignore the local variables list, and permanently mark these
                  'safe-local-variable-values
                'ignored-local-variable-values)
              unsafe-vars))
-	  (prog1 (memq char '(?! ?\s ?y))
+	  (prog1 (memq char '(?! ?\s ?y ?+))
 	    (quit-window t)))))))
 
 (defconst hack-local-variable-regexp
@@ -3908,6 +3931,7 @@ DIR-NAME is the name of the associated directory.  Otherwise it is nil."
 		  (null unsafe-vars)
 		  (null risky-vars))
 	     (memq enable-local-variables '(:all :safe))
+             (member dir-name safe-local-variable-directories)
 	     (hack-local-variables-confirm all-vars unsafe-vars
 					   risky-vars dir-name))
 	 (dolist (elt all-vars)
diff --git a/test/lisp/files-tests.el b/test/lisp/files-tests.el
index aadb60e1de7..e87bb3cfa0a 100644
--- a/test/lisp/files-tests.el
+++ b/test/lisp/files-tests.el
@@ -166,6 +166,27 @@ form.")
       (hack-local-variables)
       (should (eq lexical-binding nil)))))
 
+(ert-deftest files-tests-safe-local-variable-directories ()
+  ;; safe-local-variable-directories should be risky,
+  ;; so use it as an arbitrary risky variable.
+  (let ((test-alist '((safe-local-variable-directories . "some_val")))
+        (fakedir "/test1/test2/")
+        (enable-local-eval t))
+    (with-temp-buffer
+      (setq safe-local-variable-directories (list fakedir))
+      (hack-local-variables-filter test-alist fakedir)
+      (should (equal file-local-variables-alist test-alist)))
+    (with-temp-buffer
+      (setq safe-local-variable-directories (list fakedir))
+      (setq noninteractive t)
+      (hack-local-variables-filter test-alist "wrong")
+      (should-not (equal file-local-variables-alist test-alist)))
+    (with-temp-buffer
+      (setq safe-local-variable-directories '())
+      (setq noninteractive t)
+      (hack-local-variables-filter test-alist fakedir)
+      (should-not (equal file-local-variables-alist test-alist)))))
+
 (defvar files-test-bug-18141-file
   (ert-resource-file "files-bug18141.el.gz")
   "Test file for bug#18141.")
-- 
2.39.2

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Eli Zaretskii]

> From: Antero Mejr <antero@mailbox.org>
> Cc: 61901@debbugs.gnu.org
> Date: Tue, 09 May 2023 21:29:54 +0000
> 
> >> +@defvar safe-local-variable-directories
> >> +This is a list of directories where local variables are always enabled.
> >> +Directory-local variables loaded from these directories, such as the
> >> +variables in @file{.dir-locals.el}, will be enabled even if they are
> >> +risky.
> >> +@end defvar
> >
> >This variable should also be documented in the Emacs user manual, not
> >only in the ELisp Reference manual -- it's a user option, and a very
> >important one at that.
> 
> Added to the manual in custom.texi "Safe File Variables" subsection.
> 
> >> ++++
> >> +** New variable 'safe-local-variable-directories'.
> >> +This variable is used to to permanently trust directories containing
> >> +risky directory-local variables.
> >
> >I would rephrase:
> >
> >  This variable names directories in which Emacs will treat all
> >  directory-local variables as safe.
> 
> Fixed in attached patch.
> 
> >>  ALL-VARS is the list of all variables to be set up.
> >> @@ -3734,7 +3744,9 @@ n  -- to ignore the local variables list.")
> >>  !  -- to apply the local variables list, and permanently mark these
> >>        values (*) as safe (in the future, they will be set automatically.)
> >>  i  -- to ignore the local variables list, and permanently mark these
> >> -      values (*) as ignored\n\n")
> >> +      values (*) as ignored
> >> ++  -- to apply the local variables list, and permanently trust all
> >> +      directory-local variables in this directory\n\n")
> >
> >I would remove the "permanently" part, it would just confuse here.
> 
> Fixed.
> 
> >> @@ -3908,6 +3924,7 @@ DIR-NAME is the name of the associated directory.  
> >> Otherwise it is nil."
> >>                 (null unsafe-vars)
> >>                 (null risky-vars))
> >>            (memq enable-local-variables '(:all :safe))
> >> +             (member dir-name safe-local-variable-directories)
> >
> >If you use 'member' for this test, then (a) the documentation of
> >safe-local-variable-directories should explicitly say that the
> >directories in the list must be in full absolute form, and (b) we
> >should consider the various issues with file names that are not
> >'equal' as strings, but still name the same directory, such as
> >letter-case differences on case-insensitive filesystems.  And what
> >about equality of "foo/" "and "foo"?
> 
> Clarified the documentation. The directory path requires a trailing
> separator, and is case-sensitive regardless of the filesystem (tested
> on vFAT).
> 
> >Also, is 'dir-name' above guaranteed to be a fully-expanded absolute
> >file name?
> 
> Yes. For TRAMP connections it's a string with text properties, but it's
> the same equality-wise.
> 
> #("/ssh:user:/home/user/src/" 5 6 (tramp-default t))
> 
> >> +(ert-deftest files-tests-safe-local-variable-directories ()
> >> +  ;; safe-local-variable-directories should be risky,
> >> +  ;; so use it as an arbitrary risky variable.
> >> +  (let ((test-alist '((safe-local-variable-directories . "some_val")))
> >> +        (fakedir "test1/test2")
> >> +        (enable-local-eval t))
> >> +    (with-temp-buffer
> >> +      (setq safe-local-variable-directories (list fakedir))
> >
> >The test should use absolute directory names for directories you put
> >into safe-local-variable-directories.
> 
> Fixed.

Thanks, I installed this on the master branch, and I'm therefore
closing this bug.

Please note some minor changes I made in the documentation parts of
the changeset, the most notable one being the use of "path" to allude
to file names or directory names: the Gnu Coding Standards frown on
that.  We use "path" only for lists of directories in the style of
PATH environment variable or load-path Lisp variable.

Thanks again for working on this feature.

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Eli Zaretskii]

> From: Antero Mejr <antero@mailbox.org>
> Date: Thu, 11 May 2023 15:42:38 +0000
> 
> Thanks. I looked it over and found a typo. Patch is attached.

Thanks, I removed the redundant text (not exactly the one you proposed
to remove).  It was your original text, which I replaced with modified
one, left there by mistake.

> diff --git a/doc/lispref/variables.texi b/doc/lispref/variables.texi
> index b3a8cd8110c..28deddf985d 100644
> --- a/doc/lispref/variables.texi
> +++ b/doc/lispref/variables.texi
> @@ -1986,7 +1986,7 @@ fully-expanded absolute file names that end in a directory separator
>  character.  They may also be remote directories if the variable
>  @code{enable-remote-dir-locals} is set non-@code{nil}.  Directories in
>  this list are matched case-sensitively, even if the filesystem is
> -case-sensitive.
> +case-insensitive.
>  @end defvar

This actually means that I misunderstood the code.  Now that I see the
truth, why is it a good idea to compare directories case-sensitively
when the filesystem is not?  That's not something users will expect.

(And why private email?  Please keep the bug address on the CC list.)

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Antero Mejr via Bug reports for GNU Emacs, the Swiss army knife of text editors]

Eli Zaretskii <eliz@gnu.org> writes:

>> diff --git a/doc/lispref/variables.texi b/doc/lispref/variables.texi
>> index b3a8cd8110c..28deddf985d 100644
>> --- a/doc/lispref/variables.texi
>> +++ b/doc/lispref/variables.texi
>> @@ -1986,7 +1986,7 @@ fully-expanded absolute file names that end in a
>> directory separator
>>  character.  They may also be remote directories if the variable
>>  @code{enable-remote-dir-locals} is set non-@code{nil}.  Directories in
>>  this list are matched case-sensitively, even if the filesystem is
>> -case-sensitive.
>> +case-insensitive.
>>  @end defvar
>
> This actually means that I misunderstood the code.  Now that I see the
> truth, why is it a good idea to compare directories case-sensitively
> when the filesystem is not?  That's not something users will expect.

What if a directory's case sensitivity changes so that it previously did
not match, but now does? This could happen with Windows per-directory
case sensitivity modifications, mounted disks, or remote paths.

To accurately assess if a directory name matches with possible
case-sensitivity, the process would be:
1. check the case-sensitivity of the filesystem
2. If case insensitive, check the case-sensitivity of each subdirectory
(using Windows queryCaseSensitiveInfo if applicable)
3. map over the components of the directory name, checking each subdirectory
with the correct case-sensitivity setting

That logic would be difficult for users to reason about, so for features
with security considerations like this I think it's better to err on the
side of safety and simplicity even if the behavior is stricter than
expected.

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Eli Zaretskii]

> From: Antero Mejr <antero@mailbox.org>
> Cc: 61901@debbugs.gnu.org
> Date: Thu, 11 May 2023 17:49:50 +0000
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > This actually means that I misunderstood the code.  Now that I see the
> > truth, why is it a good idea to compare directories case-sensitively
> > when the filesystem is not?  That's not something users will expect.
> 
> What if a directory's case sensitivity changes so that it previously did
> not match, but now does? This could happen with Windows per-directory
> case sensitivity modifications, mounted disks, or remote paths.
> 
> To accurately assess if a directory name matches with possible
> case-sensitivity, the process would be:
> 1. check the case-sensitivity of the filesystem
> 2. If case insensitive, check the case-sensitivity of each subdirectory
> (using Windows queryCaseSensitiveInfo if applicable)
> 3. map over the components of the directory name, checking each subdirectory
> with the correct case-sensitivity setting
> 
> That logic would be difficult for users to reason about, so for features
> with security considerations like this I think it's better to err on the
> side of safety and simplicity even if the behavior is stricter than
> expected.

We already have all that in file-equal-p.  We should just use is
there.

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Antero Mejr via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Attachment #1: Type: text/plain, Size: 808 bytes --]

Eli Zaretskii <eliz@gnu.org> writes:

>> > This actually means that I misunderstood the code.  Now that I see the
>> > truth, why is it a good idea to compare directories case-sensitively
>> > when the filesystem is not?  That's not something users will expect.
>> 
>> To accurately assess if a directory name matches with possible
>> case-sensitivity, the process would be:
>> 1. check the case-sensitivity of the filesystem
>> 2. If case insensitive, check the case-sensitivity of each subdirectory
>> (using Windows queryCaseSensitiveInfo if applicable)
>> 3. map over the components of the directory name, checking each subdirectory
>> with the correct case-sensitivity setting
>
> We already have all that in file-equal-p.  We should just use is
> there.

Ok, patch is attached (tested on FAT32 disk).


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Handle-case-insensitivity-for-safe-local-variable-di.patch --]
[-- Type: text/x-patch, Size: 2067 bytes --]

From 338629b4dc6da17460c96a19178307e6db4bd5d8 Mon Sep 17 00:00:00 2001
From: Antero Mejr <antero@mailbox.org>
Date: Thu, 11 May 2023 19:22:49 +0000
Subject: [PATCH] Handle case-insensitivity for
 safe-local-variable-directories.

* lisp/emacs-lisp/files.el (hack-local-variables-filter): Use
file-equal-p when checking safe-local-variable-directories.
* doc/lispref/variables.texi (File Local Variables): Remove sentence
in safe-local-variable-directories description about unusual
case-sensitivity behavior.  (Bug#61901)
---
 doc/lispref/variables.texi | 4 +---
 lisp/files.el              | 4 +++-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/lispref/variables.texi b/doc/lispref/variables.texi
index b3a8cd8110c..d8f0ad489bc 100644
--- a/doc/lispref/variables.texi
+++ b/doc/lispref/variables.texi
@@ -1984,9 +1984,7 @@ such as the variables in @file{.dir-locals.el}, will be enabled even
 if they are risky.  The directories in this list must be
 fully-expanded absolute file names that end in a directory separator
 character.  They may also be remote directories if the variable
-@code{enable-remote-dir-locals} is set non-@code{nil}.  Directories in
-this list are matched case-sensitively, even if the filesystem is
-case-sensitive.
+@code{enable-remote-dir-locals} is set non-@code{nil}.
 @end defvar
 
 @defun hack-local-variables &optional handle-mode
diff --git a/lisp/files.el b/lisp/files.el
index 35d794f6dcf..a3e7e2bd65d 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -3934,7 +3934,9 @@ DIR-NAME is the name of the associated directory.  Otherwise it is nil."
 		  (null unsafe-vars)
 		  (null risky-vars))
 	     (memq enable-local-variables '(:all :safe))
-             (member dir-name safe-local-variable-directories)
+             (delq nil (mapcar (lambda (dir)
+                                 (file-equal-p dir dir-name))
+                               safe-local-variable-directories))
 	     (hack-local-variables-confirm all-vars unsafe-vars
 					   risky-vars dir-name))
 	 (dolist (elt all-vars)
-- 
2.39.2

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Antero Mejr via Bug reports for GNU Emacs, the Swiss army knife of text editors]

[-- Attachment #1: Type: text/plain, Size: 1041 bytes --]

Antero Mejr <antero@mailbox.org> writes:

> Eli Zaretskii <eliz@gnu.org> writes:
>
>>> > This actually means that I misunderstood the code.  Now that I see the
>>> > truth, why is it a good idea to compare directories case-sensitively
>>> > when the filesystem is not?  That's not something users will expect.
>>> 
>>> To accurately assess if a directory name matches with possible
>>> case-sensitivity, the process would be:
>>> 1. check the case-sensitivity of the filesystem
>>> 2. If case insensitive, check the case-sensitivity of each subdirectory
>>> (using Windows queryCaseSensitiveInfo if applicable)
>>> 3. map over the components of the directory name, checking each subdirectory
>>> with the correct case-sensitivity setting
>>
>> We already have all that in file-equal-p.  We should just use is
>> there.
>
> Ok, patch is attached (tested on FAT32 disk).

Please ignore that last patch, here is a corrected version with updated
docs. Since file-equal-p handles the trailing slash, now it doesn't
matter if there is/isn't one.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Handle-case-insensitivity-for-safe-local-variable-di.patch --]
[-- Type: text/x-patch, Size: 3495 bytes --]

From 175280bff2574cc7b826025903d4ca1802b7c5e6 Mon Sep 17 00:00:00 2001
From: Antero Mejr <antero@mailbox.org>
Date: Thu, 11 May 2023 19:22:49 +0000
Subject: [PATCH] Handle case-insensitivity for
 safe-local-variable-directories.

* lisp/emacs-lisp/files.el (hack-local-variables-filter): Use
file-equal-p when checking safe-local-variable-directories.
* doc/lispref/variables.texi (File Local Variables): Remove sentences
in safe-local-variable-directories description about case-sensitivity
and trailing slash behaviors.
* doc/emacs/custom.texi (Safe File Variables): Remove sentence about
safe-local-variable-directories trailing slash behavior.  (Bug#61901)
---
 doc/emacs/custom.texi      | 7 +++----
 doc/lispref/variables.texi | 8 +++-----
 lisp/files.el              | 5 ++++-
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/doc/emacs/custom.texi b/doc/emacs/custom.texi
index d8abf81c75f..d8221f51425 100644
--- a/doc/emacs/custom.texi
+++ b/doc/emacs/custom.texi
@@ -1359,10 +1359,9 @@ certain directories, and skip the confirmation prompt when local
 variables are loaded from those directories, even if the variables are
 risky.  The variable @code{safe-local-variable-directories} holds the
 list of such directories.  The names of the directories in this list
-must be full absolute file names, and should end in a slash.  If the
-variable @code{enable-remote-dir-locals} has a non-@code{nil} value,
-the list can include remote directories as well (@pxref{Remote
-Files}).
+must be full absolute file names.  If the variable
+@code{enable-remote-dir-locals} has a non-@code{nil} value, the list
+can include remote directories as well (@pxref{Remote Files}).
 
 @vindex enable-local-variables
   The variable @code{enable-local-variables} allows you to change the
diff --git a/doc/lispref/variables.texi b/doc/lispref/variables.texi
index b3a8cd8110c..4eda035473e 100644
--- a/doc/lispref/variables.texi
+++ b/doc/lispref/variables.texi
@@ -1982,11 +1982,9 @@ This is a list of directories where local variables are always
 enabled.  Directory-local variables loaded from these directories,
 such as the variables in @file{.dir-locals.el}, will be enabled even
 if they are risky.  The directories in this list must be
-fully-expanded absolute file names that end in a directory separator
-character.  They may also be remote directories if the variable
-@code{enable-remote-dir-locals} is set non-@code{nil}.  Directories in
-this list are matched case-sensitively, even if the filesystem is
-case-sensitive.
+fully-expanded absolute file names.  They may also be remote
+directories if the variable @code{enable-remote-dir-locals} is set
+non-@code{nil}.
 @end defvar
 
 @defun hack-local-variables &optional handle-mode
diff --git a/lisp/files.el b/lisp/files.el
index 35d794f6dcf..148f47cbc97 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -3934,7 +3934,10 @@ DIR-NAME is the name of the associated directory.  Otherwise it is nil."
 		  (null unsafe-vars)
 		  (null risky-vars))
 	     (memq enable-local-variables '(:all :safe))
-             (member dir-name safe-local-variable-directories)
+             (delq nil (mapcar (lambda (dir)
+                                 (and dir-name dir
+                                      (file-equal-p dir dir-name)))
+                               safe-local-variable-directories))
 	     (hack-local-variables-confirm all-vars unsafe-vars
 					   risky-vars dir-name))
 	 (dolist (elt all-vars)
-- 
2.39.2

bug#61901: 30.0.50; [PATCH v3] Add safe-local-variable-directories variable.

[Eli Zaretskii]

> From: Antero Mejr <antero@mailbox.org>
> Cc: 61901@debbugs.gnu.org
> Date: Thu, 11 May 2023 21:38:33 +0000
> 
> Please ignore that last patch, here is a corrected version with updated
> docs. Since file-equal-p handles the trailing slash, now it doesn't
> matter if there is/isn't one.

Thanks, installed.

This change broke files-tests, so I installed a fix there.