From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu Newsgroups: gmane.emacs.devel Subject: Re: master c86995d07e9: Enable code block evaluation when generating .org manuals Date: Fri, 07 Jun 2024 19:17:12 +0800 Message-ID: <87msnxf1dz.fsf@yahoo.com> References: <171767737644.19678.784876979840850798@vcs2.savannah.gnu.org> <20240606123616.DE7C9C1F9EF@vcs2.savannah.gnu.org> <87h6e6i1mg.fsf@gmail.com> <87r0d9flv4.fsf@yahoo.com> <86msnxfe45.fsf@gnu.org> <87cyoti4nv.fsf@gmail.com> <86h6e5f23w.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="28388"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Robert Pluim , tomas@tuxteam.de, emacs-devel@gnu.org, kyle@kyleam.com To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Jun 07 13:18:18 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sFXbt-00078W-RL for ged-emacs-devel@m.gmane-mx.org; Fri, 07 Jun 2024 13:18:17 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sFXbB-0000mC-Sx; Fri, 07 Jun 2024 07:17:33 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sFXb9-0000jy-7M for emacs-devel@gnu.org; Fri, 07 Jun 2024 07:17:31 -0400 Original-Received: from sonic303-21.consmr.mail.ne1.yahoo.com ([66.163.188.147]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sFXb7-0001K8-3W for emacs-devel@gnu.org; Fri, 07 Jun 2024 07:17:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1717759047; bh=QcbbQWn6aZU2wByTyjmVQoAZiMqYX9wb6q8/7Xcx210=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=avpod1EakMaw09yEZ4qaHw+/8pqveEVetQSkpl4OD+s2FsK+PuJfVoPWxhq+jutVDmMv5w9PA3+x8+vBqj3Lf8xLvb9Ujvrg2P9O7sNLGkwgXoNATmPSHqcdt+0UYyM9X5brqaPLkR4ElwoplRefNF9gq2D50I2d/lILKm+TmJYweJgGKfNxi9g11SVWI1ZzMbCi6oJLnqfLs4xcN1lQ/b3gqvIT44RVKLR4MEOa7cssWq3F7WEpmTs6NA79iC2/0YaRPZ7kcIMAJBGSulGM6BpA5wFGl8ybLb6fgHMKB/4VpTLcri+FEix8ro6NTvd3sO4L8G7vbcdmeJRUFoORiA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1717759047; bh=Nnkidkd0e0QY+HB85BUCN7vM9VjLKBDtKq0IXJGSyKS=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=JrjjEONKH5dR4DMWLHUXAundSZ1NdC+o4YX+hvyWNJCYM0APw9AReLzO8YSGTSiOo3yuFJYJHlxaRBZ9E3TFcyhzC3uBCMrMiKQ0N4JbpljAtHF/lkVn3Tbi7INHeDBMwmC9CsDnGdmsERvxcivx26qk8nhoA1SBRkNjB7fAc5IsM7bKIQDZKRvuKoW1/2mbpdeioXbiwAk2al9icPvrYm5mrkJHngZH5qJd6e/9qkoJ2DXJ/xSEFXX7YHfaUHwjBSpelgYQxnjIqaXFbowXLwi2x5/Aw7zGrAk5RjE2dO7Zy0LCBVRyQ7wCmzpSxZOhvANSbW6t2mVo0m7+aoqAHg== X-YMail-OSG: tp0zSi0VM1kXM62I_qgSggjWdVwjlg4ImcEdeh8YVLIoT6n3JRlVZpo85X6GeXc PXFjNxqaNkCKz.vrNvP_kTO3OVnIUc2QzgR9.dJuJ.3o9l1nyQsFYrJl_bvQ2IO2D4NZyT7CDe6F _baLMq2Q_2.LpUpciP4IrDMTkcR20djH0oNh_thIlh8JZp.jlzdF8sKNUMw2dNO9IFYnAaJJmvyt YPjLkdQZVovXx6FkEfhN1YndQU90Y4DHwBkZUUskMNcXBlCzu8PgF5gHlAgBS_BdxSqfedjRhPdR h6J2j4mAkFneNdMk36jOPmIgM3JQWJmGCdi58.RJX0Ub8Bc4C0DPb4HpCxfP_wo0a41xkBvWGoVy wIHF5F.QNcAmRBmcfeXPf1bza.syDNfGa846YCqQvZmacSfjt8T2iw2Cw8NSfvRADUTKThaN7bWt JmJEHcKVSRnGjUMsiL8yWOMs6gZNVGLOAT9DtBIDoCeY28FfHBbKhdaOT1RnApjlpTiA.aImVmjX dlWNbCNTUOpObRpbyijl9okchLlil3asJ4bS.3sYGQ1nceKdRJUuU1uHFSCfx8RNBdC4IknBt7uL ziSDGQjKKR.Fp_U54qileyq.W5g3vYYArB12tW2JVLElNh9YyY29pgXcl0XzMbPf.rxNdAM7ID.4 uI5arkV.EzbKTO9A9fuwHzYFnlfFjW9AHWV5kMj.stBC3Urs1N1Xowc2BLXUeccdwgaSQ.mGriby WQ8R2av2liuLiGEttJOz_kAHRpbqkKzhHREmgAMnoVW3QqjDqnmqLBkmztzGNmT6TZXq9SwdI1iN W22opHIV8eNlKPPBlHw4KGsnWGIees.0XxIYk0Q0Rg X-Sonic-MF: X-Sonic-ID: 09bf20d2-9cd4-4ce2-8da3-523c28c12ea9 Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.ne1.yahoo.com with HTTP; Fri, 7 Jun 2024 11:17:27 +0000 Original-Received: by hermes--production-sg3-6f9f87bd85-qvdjn (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 676376a34d6bc01e6dfb89d2cc3c5747; Fri, 07 Jun 2024 11:17:20 +0000 (UTC) In-Reply-To: <86h6e5f23w.fsf@gnu.org> (Eli Zaretskii's message of "Fri, 07 Jun 2024 14:01:39 +0300") X-Mailer: WebService/1.1.22407 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=66.163.188.147; envelope-from=luangruo@yahoo.com; helo=sonic303-21.consmr.mail.ne1.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:319870 Archived-At: Eli Zaretskii writes: > It also introduced the fact that we run Lisp to produce documentation. > >> Subverting that >> requires crafting documentation that causes the texinfo or org >> handling code to misbehave. I doubt that=CA=BCs impossible, given the >> ingenuity of attackers, but enabling direct evaluation of emacs lisp >> makes such subversion a whole lot easier. > > Adding that single setq on the command line means "direct evaluation > of Emacs Lisp", whereas running Org code (in Emacs Lisp!) to produce > the manuals does not? What am I missing here? > >> >> Anyway, the libxz episode shows that it seems to be easier to sne= ak >> >> malicious code "elsewhere" (in that case it was the test suite, b= ut >> >> you get te idea). >>=20 >> Eli> So you are saying that our co-maintainers are not to be trusted= not to >> Eli> sneak such code into release tarballs? That's quite an insult,= I'd >> Eli> say. >>=20 >> It=CA=BCs not a question of trust, nor an attack on maintainers=CA=BC ab= ility: >> hiding such code from well-intentioned, skilled maintainers can and >> has been done. > > So you are saying that we don't understand code that we review and > approve for installing? > >> Eli> Why is it that a crime perpetrated by some villain immediately = causes >> Eli> people to suspect everyone around them to be capable of similar >> Eli> crimes? >>=20 >> Nobody is accusing maintainers of bad intentions. > > That's not the only interpretation of what's been said. The reference > to xz already speaks volumes about the attitude. > >> My point was merely >> that we should think carefully about enabling such a feature. > > And you think I haven't when I installed the change? Why would you > think that? 100% agreement.