Re: Sv: Install orgmode using its git repository.

[Leo Butler <leo.butler@umanitoba.ca>]

arthur miller <arthur.miller@live.com> writes:

> Nöje of that you write is particularly adequate "addressing" of potential security vulnerability that let's potential malicious code 1) install anything on  your machine 2) steal your data 3) destroy your data.
>
> Maybe a virtual machine, but then you wouldn't be running your Emacs for anything  sensitive or serious.

Actually, *nix systems have a very good way to handle these kinds of
threats without resort to such devices: users and groups. One can create
a user account with very limited privileges for working with unvetted
code, data, etc.

Actually, I do this for developing new code, too. That way, whatever I
break/change is contained within the confines of that account.

>
> A reviewed package from elpa/helps gives at least some guarantee that you are not getting binary blobs and/or directly malicious code installed on your machine.

Leo


>
>
> -------- Originalmeddelande --------
> Från: David Masterson <dsmasterson92630@outlook.com>
> Datum: 2020-12-28 22:44 (GMT+01:00)
> Till: arthur miller <arthur.miller@live.com>
> Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
> Ämne: Re: Sv: Install orgmode using its git repository.
>
> arthur miller <arthur.miller@live.com> writes:
>
>> I don't think it is very safe practice to install random Joe's code
>> directly from some git repo. We have not yet seen malicious code (not
>> what I know) in Emacs community, but Emacs in that respect is as bad
>> as MS Office from time when VBA scripts (and viruses) were shared
>> wildly around, or a web browserwith JS that can do anything. Remember
>> time when JS was off by default in all browsers?  Elisp can do
>> whatever on your computer, so you should be careful what you
>> install. Installing from random git repos can open you for more
>> security problems then needed. I do clone lots from gitlab/github, but
>> I always look at the code myself before I ever run it.
>>
>> Another point is that installing from git and different branches as it
>> is possible with straight.el or quelpa (is what OP actually wants) can
>> eventually lead to incompatibility between code that might be much
>> harder to detect. I personally don't want to bother with latest-latest
>> of all latest because eventually it could become a spagheti code of
>> possible incompatibility and clashes.
>
> You can address these points in multiple ways:
>
> 1. A good backup and restore strategy
> 2. Virtual machines (ie a chromebook)
> 3. prioritize (m)elpa-stable over (m)elpa
> 4. el-get can get particular version from git
> ...
>
> --
> David Masterson