From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Philipp Stephani <p.stephani2@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#45198: 28.0.50; Sandbox mode
Date: Tue, 29 Dec 2020 14:58:33 +0100
Message-ID: <CAArVCkSupEERq11HhSBY_GWA+SyU-b+aRHc8auY=VABPZ7LFgw@mail.gmail.com>
References: <0917E396-F78C-45BF-8A1F-5C23CA722D9A@acm.org>
 <CAArVCkT0bA+5tqgMZrf1-cuenZi0v2mwY=LLZDXPJbRjtKFCuw@mail.gmail.com>
 <F4789EA5-BCBC-4B10-BA52-3329DB9C9E42@acm.org>
 <CAArVCkTWdYNSe+=uvUMXMe0pcSL+gWsfQW=mVWn3aq5bGF5iTg@mail.gmail.com>
 <26556EDE-9133-450F-9181-2859E058677C@acm.org>
 <CAArVCkTifUSH4n0L4iNho+JdD40FkJ4udvU-jbxM4arTWQ8Vhw@mail.gmail.com>
 <D3A22728-8650-409B-9406-45A1C191C5F9@acm.org>
 <CAArVCkT3dCXrjuRpwVVPc=Zx_ZZg2oztpfk34U7Kb5KLnXx=Cw@mail.gmail.com>
 <414E5ED4-0105-43FF-9DF5-D5A2E32E586B@acm.org>
 <CAArVCkST2aCAa3a3YbNZEpysek0HrwPDsVDBRtt4=NSYXFObRQ@mail.gmail.com>
 <CADwFkm=Jjx3EnF6SYYNr=hFFLWuL=ZFeuMVhyOprbufydN9Dkg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="24594"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: Bastien <bzg@gnu.org>,
 Mattias =?UTF-8?Q?Engdeg=C3=A5rd?= <mattiase@acm.org>, 45198@debbugs.gnu.org,
 Stefan Monnier <monnier@iro.umontreal.ca>,
 =?UTF-8?Q?Jo=C3=A3o_?= =?UTF-8?Q?T=C3=A1vora?= <joaotavora@gmail.com>
To: Stefan Kangas <stefankangas@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Dec 29 14:59:11 2020
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1kuFWo-00060H-UE
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 29 Dec 2020 14:59:10 +0100
Original-Received: from localhost ([::1]:52936 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1kuFWn-0004Ap-PO
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 29 Dec 2020 08:59:09 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:41800)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kuFWg-0004AX-2O
 for bug-gnu-emacs@gnu.org; Tue, 29 Dec 2020 08:59:02 -0500
Original-Received: from debbugs.gnu.org ([209.51.188.43]:54736)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kuFWf-0005H9-Re
 for bug-gnu-emacs@gnu.org; Tue, 29 Dec 2020 08:59:01 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kuFWf-0004V3-Ow
 for bug-gnu-emacs@gnu.org; Tue, 29 Dec 2020 08:59:01 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Philipp Stephani <p.stephani2@gmail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 29 Dec 2020 13:59:01 +0000
Resent-Message-ID: <handler.45198.B45198.160925033217280@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 45198
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 45198-submit@debbugs.gnu.org id=B45198.160925033217280
 (code B ref 45198); Tue, 29 Dec 2020 13:59:01 +0000
Original-Received: (at 45198) by debbugs.gnu.org; 29 Dec 2020 13:58:52 +0000
Original-Received: from localhost ([127.0.0.1]:38049 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kuFWW-0004Ue-Kd
 for submit@debbugs.gnu.org; Tue, 29 Dec 2020 08:58:52 -0500
Original-Received: from mail-ot1-f49.google.com ([209.85.210.49]:42650)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <p.stephani2@gmail.com>) id 1kuFWU-0004UP-Kb
 for 45198@debbugs.gnu.org; Tue, 29 Dec 2020 08:58:51 -0500
Original-Received: by mail-ot1-f49.google.com with SMTP id 11so11850816oty.9
 for <45198@debbugs.gnu.org>; Tue, 29 Dec 2020 05:58:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=HVyu+kna+HQUalY6IvvGMXQks42Ds25EEK/3hqLdmzs=;
 b=Yjy2/1sd7fseXReXfoNOTuNdrPG2GWM04LKfjFUHM2mxA5BrEdrfSEGr3SlYefmBOA
 PtKsktppSpla3HyR5pGELqIqS/3JylZ7d00bV1FXACDwrfHdazJvNwMP0vlf33/OUnqU
 3I8vms2xAWVf+xNVG8aEhQSlwVL7GaxLL3ojTCBXb/KQLz5BZrOUlcvHYuhWmBgXWgum
 scsNHFPlShcIGq3QGrVdWkiuLknDQYsJDkn9VQYXrdTCEklSBioduUDCidkYIzGODtdd
 TvLqVFMAyCZvrd6vVqxC8WFrYt2+Rvt0JaxBAeN2trdVxkqs2CXJRvp3tenRN6lpSnfi
 iGcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=HVyu+kna+HQUalY6IvvGMXQks42Ds25EEK/3hqLdmzs=;
 b=SZUaWdrw374qLmmSwbyh3VUhqvrt9ctsF3JxqVPleuYCZHRIApqEMRWG+QNS33pESX
 g8JjmV3x0daLe/tqxwt5RSG/x9C4XuIyE9m3KF4yFrtkEp26ePkS5KewXo0w9GndxRJw
 CPsz21jq4Z6rM6hPqS5DiAMirjbZp5lmah3+fEGzfisW3z47oJh0E4uotRmVOjg2c/AL
 X9jeXsU7evxnwLWzg7Rt5AaGNCbFS2RPXEH4WZ9VI5EjaiDoj+5wWIG6TsdVilrjc1iZ
 UB2woRf6P/271baZo5Vog3AwWF+B8p3s9d7qTEDzLAB5E2Yrg21NVNJtRD+LV0iwTgiZ
 KYow==
X-Gm-Message-State: AOAM531htafizMfO8bVXfTbmCOwmvge5B/TiHckQ/xuOoDs6+nka7axj
 r/3Vd4oFd+A5th4t9CgT3MzdoIsfpFHzMK8GtRg=
X-Google-Smtp-Source: ABdhPJx9mkp4EdOIhnolTRU0B+NSwqz8IP7VCBJ26p9ZW7Be5bOakVHSXDGBi6BYyYBvdFweBP5g6mguUuMf1up9FPA=
X-Received: by 2002:a9d:269:: with SMTP id 96mr35840463otb.174.1609250324758; 
 Tue, 29 Dec 2020 05:58:44 -0800 (PST)
In-Reply-To: <CADwFkm=Jjx3EnF6SYYNr=hFFLWuL=ZFeuMVhyOprbufydN9Dkg@mail.gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:196929
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/196929>

Am Mo., 28. Dez. 2020 um 09:23 Uhr schrieb Stefan Kangas
<stefankangas@gmail.com>:
>
> Philipp Stephani <p.stephani2@gmail.com> writes:
>
> > I agree, but we should use the time until Emacs 28 gets released to
> > gain experience with the API as well, so we should design the API
> > rather sooner than later, because once Emacs 28 is released, we can't
> > change it any more in incompatible ways.
>
> IMO, we could release it as an experimental feature and prominently
> announce that API changes might happen between major versions of Emacs.
> That would give us room to make even backward-incompatible changes,
> if/when necessary.
>
> I don't necessarily advocate this; I only want to point out that this is
> an option.

It's an option, though I'm not sure whether such announcements really
work all that well. Once an API becomes widely used, it becomes hard
to change it, even if it was announced to be unstable. Thus I'd
advocate for starting with the most conservative and malleable
approach possible:
- Don't allow reading the entire filesystem, but only selected files
and directories.
- Don't allow writing files (for now), communication should happen
through stdout. (That's probably good enough for Flymake, but soon
we'll need to find a more flexible approach.)
- Don't return a process object, but an opaque sandbox object.

For example:

(cl-defun start-sandbox (function &key readable-directories stdout-buffer) ...)
(defun wait-for-sandbox (sandbox) ...)