From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Newsgroups: gmane.emacs.devel Subject: Re: master c86995d07e9: Enable code block evaluation when generating .org manuals Date: Fri, 7 Jun 2024 06:26:10 +0200 Message-ID: References: <171767737644.19678.784876979840850798@vcs2.savannah.gnu.org> <20240606123616.DE7C9C1F9EF@vcs2.savannah.gnu.org> <87h6e6i1mg.fsf@gmail.com> <87r0d9flv4.fsf@yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xJRm8ek/4Ver9ha7" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3319"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Robert Pluim , emacs-devel@gnu.org, Kyle Meyer To: Po Lu Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Jun 07 06:27:36 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sFRCR-0000eM-VL for ged-emacs-devel@m.gmane-mx.org; Fri, 07 Jun 2024 06:27:36 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sFRBF-0004pO-Jj; Fri, 07 Jun 2024 00:26:21 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sFRBE-0004p1-66 for emacs-devel@gnu.org; Fri, 07 Jun 2024 00:26:20 -0400 Original-Received: from mail.tuxteam.de ([5.199.139.25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sFRBB-00051o-7O for emacs-devel@gnu.org; Fri, 07 Jun 2024 00:26:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tuxteam.de; s=mail; h=From:In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8VCWrV3SzEGxapGX/aW4sZLVcMmRHn+t8oTotiXXvzM=; b=nwQOwoJcunCBuqHz0EX8xjkSCD 7hApO6zPBzLVJShB1OZCLZYdszt6x1ILSDhcjFjndO1Fl4jFNxhOeHKrb6Y7e0Sbyh7ZzFYvAFbJL uWbVXGG1lzlNZ4xniycF1XuMkTmi0Y4IY6F3DybthltsomWepd4WRBTvCZuT4sa4bAWuXiy+xdS5u tpdl4w2QWHxdU0o72jxczHtgMAyLqZa81SjxxLQWVJJMcls53ezPNQBb1s2YbmbQC1yKJBpFTCKdl etMg2ONHP13bH9MTZerbRO9XWXcvOsHJdUALupGy7fUar1uWkqSUH7Qbh1zP+QKfKzzPHqOaHHsw5 enmxkwrQ==; Original-Received: from tomas by mail.tuxteam.de with local (Exim 4.94.2) (envelope-from ) id 1sFRB4-0007Km-U4; Fri, 07 Jun 2024 06:26:10 +0200 Content-Disposition: inline In-Reply-To: <87r0d9flv4.fsf@yahoo.com> Received-SPF: pass client-ip=5.199.139.25; envelope-from=tomas@tuxteam.de; helo=mail.tuxteam.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:319859 Archived-At: --xJRm8ek/4Ver9ha7 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 07, 2024 at 11:54:55AM +0800, Po Lu wrote: > Robert Pluim writes: >=20 > >>>>>> On Thu, 6 Jun 2024 08:36:16 -0400 (EDT), Eli Zaretskii said: > > > > Eli> diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in > > Eli> index 2841916dc89..b26d3525a22 100644 > > Eli> --- a/doc/misc/Makefile.in > > Eli> +++ b/doc/misc/Makefile.in > > Eli> @@ -250,6 +250,7 @@ define org_template > > Eli> $(1:.org=3D.texi): $(1) ${top_srcdir}/lisp/org/ox-texinfo.el > > Eli> $${AM_V_GEN}cd "$${srcdir}" && $${emacs} -l ox-texinfo \ > > Eli> --eval '(setq gc-cons-threshold 50000000)' \ > > Eli> + --eval '(setq org-confirm-babel-evaluate nil)' \ > > Eli> -f org-texinfo-export-to-texinfo-batch $$(notdir $$<) $$(n= otdir $$@) > > Eli> endef > > > > This has set off my paranoia alarm. So anyone that manages to > > sneak malicious emacs lisp code into the org manual gets to run that > > code on the machines of everyone who builds emacs from source? >=20 > No doubt you meant that anyone who manages to sneak malicious code into > Emacs gets to run that code on the machines of everyone who builds Emacs > from source, which is stating the obvious... This is, strictly speaking, right, of course. Expectation-wise it does lower the bar for an attacker somewhat, since now the malicious code just has to be snuck into documentation. So I think Robert is right that it's worth a discussion (whatever the outcome might be: perhaps treat the doc as code and give it as much scrutiny? Anyway, the libxz episode shows that it seems to be easier to sneak malicious code "elsewhere" (in that case it was the test suite, but you get te idea). Cheers --=20 t --xJRm8ek/4Ver9ha7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZmKL2gAKCRAFyCz1etHa Ro6eAJ9Ity4DcQKQcXF/Tu1pOhi13P7aIQCfQOMOvAD0vCXEmWlNs0L3NZIcIV0= =Yd6K -----END PGP SIGNATURE----- --xJRm8ek/4Ver9ha7--