From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.devel
Subject: Re: DSO-style FFI
Date: Sat, 19 Oct 2013 15:44:42 -0400
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
Message-ID: <87ob6lm4et.fsf@flea.lifelogs.com>
References: <877gdqrc9u.fsf@flea.lifelogs.com>
	<jwv1u3ymjkd.fsf-monnier+emacs@gnu.org>
	<87mwmmp05f.fsf@flea.lifelogs.com>
	<jwvhactlp35.fsf-monnier+emacs@gnu.org>
	<87fvsdpato.fsf@flea.lifelogs.com> <8738oc20xk.fsf@flea.lifelogs.com>
	<jwvr4bw667d.fsf-monnier+emacs@gnu.org>
	<87d2ngzlyl.fsf_-_@flea.lifelogs.com>
	<jwva9ik5vqw.fsf-monnier+emacs@gnu.org>
	<87siwcxda7.fsf@flea.lifelogs.com>
	<jwvzjqj220k.fsf-monnier+emacs@gnu.org>
	<87zjqjfz36.fsf@fleche.redhat.com>
	<jwv8uy3jhvy.fsf-monnier+emacs@gnu.org>
	<87wqlitse5.fsf@maru2.md5i.com>
	<jwvbo2uqqa7.fsf-monnier+emacs@gnu.org>
	<87eh7iogcv.fsf@flea.lifelogs.com> <82y55p17yw.fsf@gmail.com>
Reply-To: emacs-devel@gnu.org
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1382211888 27577 80.91.229.3 (19 Oct 2013 19:44:48 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 19 Oct 2013 19:44:48 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Oct 19 21:44:50 2013
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VXcS9-0001im-FW
	for ged-emacs-devel@m.gmane.org; Sat, 19 Oct 2013 21:44:49 +0200
Original-Received: from localhost ([::1]:34219 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1VXcS9-0007wJ-5O
	for ged-emacs-devel@m.gmane.org; Sat, 19 Oct 2013 15:44:49 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43319)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1VXcS1-0007vx-8I
	for emacs-devel@gnu.org; Sat, 19 Oct 2013 15:44:47 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1VXcRv-0001SC-3p
	for emacs-devel@gnu.org; Sat, 19 Oct 2013 15:44:41 -0400
Original-Received: from plane.gmane.org ([80.91.229.3]:45853)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1VXcRu-0001S8-U5
	for emacs-devel@gnu.org; Sat, 19 Oct 2013 15:44:35 -0400
Original-Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1VXcRt-0001ZM-Ku
	for emacs-devel@gnu.org; Sat, 19 Oct 2013 21:44:33 +0200
Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Sat, 19 Oct 2013 21:44:33 +0200
Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim
	0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Sat, 19 Oct 2013 21:44:33 +0200
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: emacs-devel@gnu.org
Original-Lines: 29
Original-X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
Mail-Copies-To: never
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux)
Cancel-Lock: sha1:9cMuiqof0ZFDGeOZizjzwggufvE=
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.229.3
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:164379
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/164379>

On Sat, 19 Oct 2013 18:33:27 +0100 Andy Moreton <andrewjmoreton@gmail.com> wrote: 

AM> On Fri 18 Oct 2013, Ted Zlatanov wrote:
>> On Sat, 12 Oct 2013 14:55:26 -0400 Stefan Monnier <monnier@IRO.UMontreal.CA> wrote: 
>> 
>>>> The problems I see are A) that it would be trivial to use such an
>>>> interface to crash or subvert emacs from elisp,
>> 
SM> This is a fundamental property of anything that lets gives access to
SM> "any" library.  DSO or FFI is in the same boat.  IOW, if we really
SM> consider it as too dangerous, then we can't provide anything related to
SM> an FFI or dynamic loading of code.
>> 
>> This is where package signing becomes important.  We can require two
>> signatures from two separate reviewers for high-risk packages.

AM> Package signing is not really relevant here: knowing who signed a
AM> package does not magically prevent emacs from crashing. If you want to
AM> prevent crashes, then you need to isolate the third party code by
AM> running it in a separate process.

A separate process doesn't guarantee safety either, depending on the
platform and the process owner.

Double signing would require two independent reviewers to sign off on
the package release.  This gives some assurance that the code is not
apparently or intentionally harmful by not-so-magical means.

Ted