From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: DSO-style FFI Date: Sat, 19 Oct 2013 15:44:42 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87ob6lm4et.fsf@flea.lifelogs.com> References: <877gdqrc9u.fsf@flea.lifelogs.com> <87mwmmp05f.fsf@flea.lifelogs.com> <87fvsdpato.fsf@flea.lifelogs.com> <8738oc20xk.fsf@flea.lifelogs.com> <87d2ngzlyl.fsf_-_@flea.lifelogs.com> <87siwcxda7.fsf@flea.lifelogs.com> <87zjqjfz36.fsf@fleche.redhat.com> <87wqlitse5.fsf@maru2.md5i.com> <87eh7iogcv.fsf@flea.lifelogs.com> <82y55p17yw.fsf@gmail.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1382211888 27577 80.91.229.3 (19 Oct 2013 19:44:48 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 19 Oct 2013 19:44:48 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Oct 19 21:44:50 2013 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1VXcS9-0001im-FW for ged-emacs-devel@m.gmane.org; Sat, 19 Oct 2013 21:44:49 +0200 Original-Received: from localhost ([::1]:34219 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VXcS9-0007wJ-5O for ged-emacs-devel@m.gmane.org; Sat, 19 Oct 2013 15:44:49 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43319) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VXcS1-0007vx-8I for emacs-devel@gnu.org; Sat, 19 Oct 2013 15:44:47 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VXcRv-0001SC-3p for emacs-devel@gnu.org; Sat, 19 Oct 2013 15:44:41 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:45853) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VXcRu-0001S8-U5 for emacs-devel@gnu.org; Sat, 19 Oct 2013 15:44:35 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VXcRt-0001ZM-Ku for emacs-devel@gnu.org; Sat, 19 Oct 2013 21:44:33 +0200 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 19 Oct 2013 21:44:33 +0200 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 19 Oct 2013 21:44:33 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 29 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.50 (gnu/linux) Cancel-Lock: sha1:9cMuiqof0ZFDGeOZizjzwggufvE= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:164379 Archived-At: On Sat, 19 Oct 2013 18:33:27 +0100 Andy Moreton wrote: AM> On Fri 18 Oct 2013, Ted Zlatanov wrote: >> On Sat, 12 Oct 2013 14:55:26 -0400 Stefan Monnier wrote: >> >>>> The problems I see are A) that it would be trivial to use such an >>>> interface to crash or subvert emacs from elisp, >> SM> This is a fundamental property of anything that lets gives access to SM> "any" library. DSO or FFI is in the same boat. IOW, if we really SM> consider it as too dangerous, then we can't provide anything related to SM> an FFI or dynamic loading of code. >> >> This is where package signing becomes important. We can require two >> signatures from two separate reviewers for high-risk packages. AM> Package signing is not really relevant here: knowing who signed a AM> package does not magically prevent emacs from crashing. If you want to AM> prevent crashes, then you need to isolate the third party code by AM> running it in a separate process. A separate process doesn't guarantee safety either, depending on the platform and the process owner. Double signing would require two independent reviewers to sign off on the package release. This gives some assurance that the code is not apparently or intentionally harmful by not-so-magical means. Ted