From: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: rms@gnu.org, emacs-devel@gnu.org
Subject: Re: Unsafe file variables...
Date: 04 Apr 2004 16:49:48 -0400 [thread overview]
Message-ID: <87ekr3h4cn.fsf-monnier+emacs@alfajor.local> (raw)
In-Reply-To: <x5r7v3bi8w.fsf@lola.goethe.zz>
>> Think of it as "check whether a piece of code is signed" (the
>> Microsoft notion of security) vs "check that the code type checks"
>> (the Java notion of security).
> Well, we already have determined that the variable _is_ unsafe to set.
No, we have only determined that the variable is not always safe to set.
That's very different.
> But since there still is an imaginable reason for setting that
> variable, the user gets the question. If you think that you can rule
> out the desirability of not mechanically checkable code being run,
> then that is the obvious way to go. But I don't see any sandbox
> model for Elisp that would get us even half there.
I don't understand what you're trying to say.
>> Now in general it's clearly impossible to check any arbitrary piece
>> of elisp code and give a good answer. But a good solution was
>> proposed a while back here: add a customization variable that allows
>> the user to specify a list of safe code which he's willing to eval
>> in the future.
> The list would have to get added to for each change.
Yes. Just like it would have to be re-signed for each change.
> In short, the user would have to manually judge the potential of the
> danger of such settings for each change, and record his decision.
Exactly. Just as is the case right now, except that he would get to record
his decision so he won't be prompted over and over again in the future.
> I was proposing a mechanism allowing delegation of such decisions to
> a verified source the user has declared trustworthy.
Yes, that's what I understood and what I consider as undesirable.
> This is less safe than a qualified judgment of the user for himself
> for every instance. _IF_ the user is capable of making a qualified
> judgment.
The same "IF the user is capable of making a qualified judgment" applies to
the authentication approach: the user has to assess the trustworthiness of
the source instead of the safety of the code.
Accepting a key does not just mean "I trust that Foo never intends harm",
but rather "I trust that every person who will ever get access to Foo's
private key will never intend harm".
> I just noticed that I get frequently annoyed by such questions and was
> trying to come up with a comparatively safe way to avoid them.
My approach is much more lightweight and can probably be coded in 10 lines.
I do believe in the "philosophical" arguments above, but ultimately the
implementation simplicity is what I'd aim for.
Stefan
next prev parent reply other threads:[~2004-04-04 20:49 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-03 19:06 Unsafe file variables David Kastrup
2004-04-04 16:25 ` Richard Stallman
2004-04-04 20:04 ` Stefan Monnier
2004-04-04 20:11 ` Stefan Monnier
2004-04-04 20:28 ` David Kastrup
2004-04-04 20:49 ` Stefan Monnier [this message]
2004-04-05 2:14 ` David Kastrup
2004-04-05 3:13 ` Stefan Monnier
2004-04-05 10:34 ` David Kastrup
2004-04-05 6:36 ` Richard Stallman
2004-04-05 11:56 ` Kim F. Storm
2004-04-05 12:06 ` Kim F. Storm
2004-04-07 0:09 ` Richard Stallman
2004-04-07 17:37 ` Kevin Rodgers
2004-04-05 0:44 ` Kim F. Storm
2004-04-05 2:25 ` Kim F. Storm
2004-04-05 9:08 ` Eli Zaretskii
2004-04-05 12:08 ` Kim F. Storm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ekr3h4cn.fsf-monnier+emacs@alfajor.local \
--to=monnier@iro.umontreal.ca \
--cc=emacs-devel@gnu.org \
--cc=rms@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).