From mboxrd@z Thu Jan 1 00:00:00 1970 Path: main.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: Unsafe file variables... Date: 04 Apr 2004 16:11:41 -0400 Sender: emacs-devel-bounces+emacs-devel=quimby.gnus.org@gnu.org Message-ID: <87y8pbh5lk.fsf-monnier+emacs@alfajor.local> References: NNTP-Posting-Host: deer.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1081109800 2942 80.91.224.253 (4 Apr 2004 20:16:40 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Sun, 4 Apr 2004 20:16:40 +0000 (UTC) Cc: David Kastrup , emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+emacs-devel=quimby.gnus.org@gnu.org Sun Apr 04 22:16:35 2004 Return-path: Original-Received: from quimby.gnus.org ([80.91.224.244]) by deer.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1BAE2l-0006S8-00 for ; Sun, 04 Apr 2004 22:16:35 +0200 Original-Received: from monty-python.gnu.org ([199.232.76.173]) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1BAE2l-00011K-00 for ; Sun, 04 Apr 2004 22:16:35 +0200 Original-Received: from localhost ([127.0.0.1] helo=monty-python.gnu.org) by monty-python.gnu.org with esmtp (Exim 4.30) id 1BAE2T-0006m7-1X for emacs-devel@quimby.gnus.org; Sun, 04 Apr 2004 16:16:17 -0400 Original-Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.30) id 1BADzH-0004FN-LA for emacs-devel@gnu.org; Sun, 04 Apr 2004 16:12:59 -0400 Original-Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.30) id 1BADyj-0003nI-Df for emacs-devel@gnu.org; Sun, 04 Apr 2004 16:12:57 -0400 Original-Received: from [209.226.175.34] (helo=tomts13-srv.bellnexxia.net) by monty-python.gnu.org with esmtp (Exim 4.30) id 1BADy2-0003Q9-C5; Sun, 04 Apr 2004 16:11:42 -0400 Original-Received: from alfajor ([67.71.119.109]) by tomts13-srv.bellnexxia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20040404201141.BOIG6153.tomts13-srv.bellnexxia.net@alfajor>; Sun, 4 Apr 2004 16:11:41 -0400 Original-Received: by alfajor (Postfix, from userid 1000) id A645DD73C1; Sun, 4 Apr 2004 16:11:41 -0400 (EDT) Original-To: rms@gnu.org In-Reply-To: Original-Lines: 23 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3.50 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.4 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+emacs-devel=quimby.gnus.org@gnu.org Xref: main.gmane.org gmane.emacs.devel:21243 X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:21243 > Something like that. I would then customize a variable that tells > whose signatures I trust enough not to get the stupid question again > and again. > Obviously, this also makes it possible for me to look at the local > variable block once, decide that it is good enough for me, and sign > it. > It looks good to me, but it would be good to get comments > from security experts. I think that using authentication for such problems is the wrong approach. We should check the safety of the code instead. Think of it as "check whether a piece of code is signed" (the Microsoft notion of security) vs "check that the code type checks" (the Java notion of security). Now in general it's clearly impossible to check any arbitrary piece of elisp code and give a good answer. But a good solution was proposed a while back here: add a customization variable that allows the user to specify a list of safe code which he's willing to eval in the future. Stefan