From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu Newsgroups: gmane.emacs.devel Subject: Re: master c86995d07e9: Enable code block evaluation when generating .org manuals Date: Fri, 07 Jun 2024 13:13:56 +0800 Message-ID: References: <171767737644.19678.784876979840850798@vcs2.savannah.gnu.org> <20240606123616.DE7C9C1F9EF@vcs2.savannah.gnu.org> <87h6e6i1mg.fsf@gmail.com> <87r0d9flv4.fsf@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="5868"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Robert Pluim , emacs-devel@gnu.org, Kyle Meyer To: Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Jun 07 07:14:49 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sFRw8-0001CE-R5 for ged-emacs-devel@m.gmane-mx.org; Fri, 07 Jun 2024 07:14:48 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sFRvS-0002XD-5T; Fri, 07 Jun 2024 01:14:06 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sFRvQ-0002Wx-9T for emacs-devel@gnu.org; Fri, 07 Jun 2024 01:14:04 -0400 Original-Received: from sonic308-10.consmr.mail.ne1.yahoo.com ([66.163.187.33]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sFRvM-0004cl-F0 for emacs-devel@gnu.org; Fri, 07 Jun 2024 01:14:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1717737237; bh=nWV8ivXz0llt8bKSyAE00jLgJ1bCeNHIV+1ox1D0Zh8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=YQZHhjwxVL9JeWWAZYDzP1wZ65WXE9hBWDoBQkFMEhyo2OpZ8ZitgMbl7Kh2Vbz3e6hMTePymAu+X3/2b7b5vY3ADOUC6QfaXy7JPfhPuVxrI0CGA42FZWZzbf6HkATurZ0VvlLm4IEdquidYbijzAwpw50Cwis5Sy5a+xlJKyz2U2cRcubsUj7So/5FUP2C1jqwVrhkrDHJDnFfqyb01QS0IuNz0eJ2k2B6yJFing8TX9M34kBgBgUxY0j5C5krQcJp9HIYhLZkod/gCf9JFB91Hs+yPjFrpI4HvdxAmz0x6ejlVzF1TwZghWeXCes9N7wzq7fm9S1a7Y+20VL8pg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1717737237; bh=QnQgIAai+yFSuKTLR0MVrR5kE/gqEkM95YXCXdOLuHg=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Iahm5sf7tdsCEF4uV+kvAYAvIw/yCUKOXfQiMHAUQzccrmI5VWfnyBGmaVQdt/amMXR1J1TnWfJeNQrvDVFtwQLQBTtDoCh+pZqj4Eku36tHIRJ+xdEVnPegbjgNmU0KCiMjkhEonRX0YsY/7/rBWSiO9z16kZxZv45GaF17vrd5c/AItzRsN+AGyLy3OKlq41zm5GVQEFbIzihKfs1mhXRf2zApnhOcvltNXrqPkr96no3J59hPmm87ZXQOz+anXN5frxXESC6t4QmxQv8Wx5KJ4/1t/CTczZXONrcTnAkwKiKCPJcOKxLSRsB2rJT6I7QCtWLzP1VQmMwXwPDhzQ== X-YMail-OSG: uZjNIXsVM1kWKMkk5AiK3PEF8mGVLF2bpGAIQwOGRTdruU4s6pxG28YNCImX12O 9Es8Xz.pCFLjiRUdT2gJ16Cc_uojh.ZWn_BgVYUmgwth1n3fZxGUIdSVsDIJFsVy1UeYa3naSuJM cccPkpTYNSnQ6kY083ckP7tqp3ZbkFK8XPK9vGbo9LT3Sk0WNq0KCORMaAinZloRlIglvM8UIRr1 rloPMynC5f3a3xB9vWSOw9tkQFwUJJ3ywXFZtEajvxbyo4vTC8MyOX7G1NcOrRvFBM3AHHHL3_xa hgqRkR7AqP2iexHf32lxVRK.G4WzL1_0ka1LnyBiARVsl5LBRo9olFG1F_3t5vEkH_Z1Fb.eduzF s0HqCc2yWzwJ4JaD.wu6LjjUMm6ZbAH18YA1BaRAaswk40GXK2HJazcbGqfTz1sBCKjK7ZfHoK6n F2cJO6kxWys9VvyI83tGYtyBG4d.ZUyqsCtxCedgLk_whVwoJSWpSmsaEGOgN0wkWISvv0qPvLf2 9MajXpZ8mHC2vwXDT8mzwMRh5xnlQq6HnNbcvjKCz7wp_EB_8rFZIYhvZHJTkjOj3fBuDRlb3_UE bAz7lc8LMd32toKYrgrkdOvbBsae6DqXXYE2CRNauWTtLX0YWWEht.GOtsHhZgbBxWcnmcxND_JF F7Mc.BJLQTwX.VtN3VVuSrncYpx6ZEVzdB0tWXzhspi1Bs6QkZ.1CZH7l4gZrSSi.04NemAnJYsW B0K302UmfefADzdZGvlGv0hfWZAJZJjn8K6qLbNK9MjERGDJgpNRxQJ_YeaEZrhtyVyU99GvH0R0 zbS.DfcGtrS9uRi3Y2cPV0RlXmAfhKyzOY6hXLT9dd X-Sonic-MF: X-Sonic-ID: 7539cef7-96d3-484d-a6f4-e8803593260e Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Fri, 7 Jun 2024 05:13:57 +0000 Original-Received: by hermes--production-sg3-6f9f87bd85-85gcf (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 1f3f5179004881ceda2c322727695caf; Fri, 07 Jun 2024 05:13:51 +0000 (UTC) In-Reply-To: (tomas@tuxteam.de's message of "Fri, 7 Jun 2024 06:26:10 +0200") X-Mailer: WebService/1.1.22407 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=66.163.187.33; envelope-from=luangruo@yahoo.com; helo=sonic308-10.consmr.mail.ne1.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:319860 Archived-At: writes: > This is, strictly speaking, right, of course. Expectation-wise it does > lower the bar for an attacker somewhat, since now the malicious code > just has to be snuck into documentation. This can only be true if documentation changes are scrutinized so little that code, and by extension malicious code simply passes unnoticed. Otherwise, it would be best to credit the Org Mode developers with the same due dilligence as ours, or the resulting attitude will appear condescending at best. > So I think Robert is right that it's worth a discussion (whatever the > outcome might be: perhaps treat the doc as code and give it as much > scrutiny? > > Anyway, the libxz episode shows that it seems to be easier to sneak > malicious code "elsewhere" (in that case it was the test suite, but > you get te idea). You mean to imply that Org Mode is more susceptible to organized sabotage than other players whose code we import, such as Gnulib, or, heaven forbid, we ourselves? That way lies madness.