* Install orgmode using its git repository.
@ 2020-12-27 6:23 Hongyi Zhao
2020-12-27 16:17 ` Stefan Monnier
` (2 more replies)
0 siblings, 3 replies; 19+ messages in thread
From: Hongyi Zhao @ 2020-12-27 6:23 UTC (permalink / raw)
To: help-gnu-emacs
On Ubuntu 20.10, I compiled the latest git master version of emacs,
but I can't the org-mode command from within it. So I try to install
the orgmode using its git repository according to the guidance [1] as
shown below.
$ git clone https://code.orgmode.org/bzg/org-mode.git
Public/repo/code.orgmode.org/bzg/org-mode.git
$ cd code.orgmode.org/bzg/org-mode.git
$ make autoloads
Then add the following lines into ~/.emacs.d/init.el:
(add-to-list 'load-path "~/Public/repo/code.orgmode.org/bzg/org-mode.git/lisp")
(add-to-list 'load-path
"~/Public/repo/code.orgmode.org/bzg/org-mode.git/contrib/lisp" t)
But after I started emacs and issue the instructions 'M-x org- RET', I
see the following information in the minibuffer:
Possible completions are:
org-decrypt-entries org-decrypt-entry
org-encrypt-entries org-encrypt-entry
As you can see, the org-mode is still not available. Any hints for
solving this problem is highly appreciated.
[1] https://orgmode.org/manual/Installation.html.
Regards
--
Assoc. Prof. Hongyi Zhao <hongyi.zhao@gmail.com>
Theory and Simulation of Materials
Hebei Polytechnic University of Science and Technology engineering
NO. 552 North Gangtie Road, Xingtai, China
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Install orgmode using its git repository.
2020-12-27 6:23 Install orgmode using its git repository Hongyi Zhao
@ 2020-12-27 16:17 ` Stefan Monnier
2020-12-28 0:12 ` Hongyi Zhao
2020-12-27 17:50 ` Eli Zaretskii
2020-12-28 7:58 ` Sv: " arthur miller
2 siblings, 1 reply; 19+ messages in thread
From: Stefan Monnier @ 2020-12-27 16:17 UTC (permalink / raw)
To: help-gnu-emacs
BTW, you can also install the latest code from Git via package.el:
M-x url-handler-mode RET ;; Assuming it's not already enabled
C-x C-f https://elpa.gnu.org/devel/org.tar RET
M-x package-install-from-buffer RET
Stefan
Hongyi Zhao [2020-12-27 14:23:28] wrote:
> On Ubuntu 20.10, I compiled the latest git master version of emacs,
> but I can't the org-mode command from within it. So I try to install
> the orgmode using its git repository according to the guidance [1] as
> shown below.
>
> $ git clone https://code.orgmode.org/bzg/org-mode.git
> Public/repo/code.orgmode.org/bzg/org-mode.git
> $ cd code.orgmode.org/bzg/org-mode.git
> $ make autoloads
>
> Then add the following lines into ~/.emacs.d/init.el:
>
> (add-to-list 'load-path "~/Public/repo/code.orgmode.org/bzg/org-mode.git/lisp")
> (add-to-list 'load-path
> "~/Public/repo/code.orgmode.org/bzg/org-mode.git/contrib/lisp" t)
>
> But after I started emacs and issue the instructions 'M-x org- RET', I
> see the following information in the minibuffer:
>
> Possible completions are:
> org-decrypt-entries org-decrypt-entry
> org-encrypt-entries org-encrypt-entry
>
> As you can see, the org-mode is still not available. Any hints for
> solving this problem is highly appreciated.
>
> [1] https://orgmode.org/manual/Installation.html.
>
> Regards
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Install orgmode using its git repository.
2020-12-27 6:23 Install orgmode using its git repository Hongyi Zhao
2020-12-27 16:17 ` Stefan Monnier
@ 2020-12-27 17:50 ` Eli Zaretskii
2020-12-28 7:58 ` Sv: " arthur miller
2 siblings, 0 replies; 19+ messages in thread
From: Eli Zaretskii @ 2020-12-27 17:50 UTC (permalink / raw)
To: help-gnu-emacs
> From: Hongyi Zhao <hongyi.zhao@gmail.com>
> Date: Sun, 27 Dec 2020 14:23:28 +0800
>
> On Ubuntu 20.10, I compiled the latest git master version of emacs,
> but I can't the org-mode command from within it. So I try to install
> the orgmode using its git repository according to the guidance [1] as
> shown below.
>
> $ git clone https://code.orgmode.org/bzg/org-mode.git
> Public/repo/code.orgmode.org/bzg/org-mode.git
> $ cd code.orgmode.org/bzg/org-mode.git
> $ make autoloads
>
> Then add the following lines into ~/.emacs.d/init.el:
>
> (add-to-list 'load-path "~/Public/repo/code.orgmode.org/bzg/org-mode.git/lisp")
> (add-to-list 'load-path
> "~/Public/repo/code.orgmode.org/bzg/org-mode.git/contrib/lisp" t)
>
> But after I started emacs and issue the instructions 'M-x org- RET', I
> see the following information in the minibuffer:
>
> Possible completions are:
> org-decrypt-entries org-decrypt-entry
> org-encrypt-entries org-encrypt-entry
>
> As you can see, the org-mode is still not available. Any hints for
> solving this problem is highly appreciated.
I believe/hope this is a bug that was already fixed on the emacs-27
branch, and hopefully will be merged to master soon.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Install orgmode using its git repository.
2020-12-27 16:17 ` Stefan Monnier
@ 2020-12-28 0:12 ` Hongyi Zhao
2020-12-28 5:13 ` David Masterson
2020-12-28 5:21 ` Stefan Monnier
0 siblings, 2 replies; 19+ messages in thread
From: Hongyi Zhao @ 2020-12-28 0:12 UTC (permalink / raw)
To: Stefan Monnier; +Cc: help-gnu-emacs
On Mon, Dec 28, 2020 at 12:18 AM Stefan Monnier
<monnier@iro.umontreal.ca> wrote:
>
> BTW, you can also install the latest code from Git via package.el:
>
> M-x url-handler-mode RET ;; Assuming it's not already enabled
> C-x C-f https://elpa.gnu.org/devel/org.tar RET
> M-x package-install-from-buffer RET
If I want to implement the above codes as a package-install-from-repo
function with the pakcage's URL as the argument, then how should I
rewrite the above code?
>
> Stefan
>
>
> Hongyi Zhao [2020-12-27 14:23:28] wrote:
> > On Ubuntu 20.10, I compiled the latest git master version of emacs,
> > but I can't the org-mode command from within it. So I try to install
> > the orgmode using its git repository according to the guidance [1] as
> > shown below.
> >
> > $ git clone https://code.orgmode.org/bzg/org-mode.git
> > Public/repo/code.orgmode.org/bzg/org-mode.git
> > $ cd code.orgmode.org/bzg/org-mode.git
> > $ make autoloads
> >
> > Then add the following lines into ~/.emacs.d/init.el:
> >
> > (add-to-list 'load-path "~/Public/repo/code.orgmode.org/bzg/org-mode.git/lisp")
> > (add-to-list 'load-path
> > "~/Public/repo/code.orgmode.org/bzg/org-mode.git/contrib/lisp" t)
> >
> > But after I started emacs and issue the instructions 'M-x org- RET', I
> > see the following information in the minibuffer:
> >
> > Possible completions are:
> > org-decrypt-entries org-decrypt-entry
> > org-encrypt-entries org-encrypt-entry
> >
> > As you can see, the org-mode is still not available. Any hints for
> > solving this problem is highly appreciated.
> >
> > [1] https://orgmode.org/manual/Installation.html.
> >
> > Regards
>
>
--
Assoc. Prof. Hongyi Zhao <hongyi.zhao@gmail.com>
Theory and Simulation of Materials
Hebei Polytechnic University of Science and Technology engineering
NO. 552 North Gangtie Road, Xingtai, China
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Install orgmode using its git repository.
2020-12-28 0:12 ` Hongyi Zhao
@ 2020-12-28 5:13 ` David Masterson
2020-12-28 5:21 ` Stefan Monnier
1 sibling, 0 replies; 19+ messages in thread
From: David Masterson @ 2020-12-28 5:13 UTC (permalink / raw)
To: Hongyi Zhao; +Cc: help-gnu-emacs, Stefan Monnier
Hongyi Zhao <hongyi.zhao@gmail.com> writes:
> On Mon, Dec 28, 2020 at 12:18 AM Stefan Monnier
> <monnier@iro.umontreal.ca> wrote:
>>
>> BTW, you can also install the latest code from Git via package.el:
>>
>> M-x url-handler-mode RET ;; Assuming it's not already enabled
>> C-x C-f https://elpa.gnu.org/devel/org.tar RET
>> M-x package-install-from-buffer RET
>
> If I want to implement the above codes as a package-install-from-repo
> function with the pakcage's URL as the argument, then how should I
> rewrite the above code?
See the documentation for the packages use-package and el-get on Melpa.
--
David Masterson
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Install orgmode using its git repository.
2020-12-28 0:12 ` Hongyi Zhao
2020-12-28 5:13 ` David Masterson
@ 2020-12-28 5:21 ` Stefan Monnier
2020-12-28 5:40 ` Hongyi Zhao
1 sibling, 1 reply; 19+ messages in thread
From: Stefan Monnier @ 2020-12-28 5:21 UTC (permalink / raw)
To: Hongyi Zhao; +Cc: help-gnu-emacs
>> BTW, you can also install the latest code from Git via package.el:
>>
>> M-x url-handler-mode RET ;; Assuming it's not already enabled
>> C-x C-f https://elpa.gnu.org/devel/org.tar RET
>> M-x package-install-from-buffer RET
>
> If I want to implement the above codes as a package-install-from-repo
> function with the pakcage's URL as the argument, then how should I
> rewrite the above code?
Not sure what you're asking. Such a function would be a welcome
addition to package.el, if that's what you mean.
Stefan
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Install orgmode using its git repository.
2020-12-28 5:21 ` Stefan Monnier
@ 2020-12-28 5:40 ` Hongyi Zhao
2020-12-28 8:08 ` Sv: " arthur miller
2020-12-28 15:52 ` Stefan Monnier
0 siblings, 2 replies; 19+ messages in thread
From: Hongyi Zhao @ 2020-12-28 5:40 UTC (permalink / raw)
To: Stefan Monnier; +Cc: help-gnu-emacs
On Mon, Dec 28, 2020 at 1:21 PM Stefan Monnier <monnier@iro.umontreal.ca> wrote:
>
> >> BTW, you can also install the latest code from Git via package.el:
> >>
> >> M-x url-handler-mode RET ;; Assuming it's not already enabled
> >> C-x C-f https://elpa.gnu.org/devel/org.tar RET
> >> M-x package-install-from-buffer RET
> >
> > If I want to implement the above codes as a package-install-from-repo
> > function with the pakcage's URL as the argument, then how should I
> > rewrite the above code?
>
> Not sure what you're asking. Such a function would be a welcome
> addition to package.el, if that's what you mean.
I just noticed that this question has been discussed on stackexchange:
https://emacs.stackexchange.com/questions/51586/is-there-a-package-manager-for-emacs-that-can-use-git-repositories-directly
also, by the author of straight.el:
https://github.com/raxod502/straight.el#comparison-to-other-package-managers
Regards
--
Assoc. Prof. Hongyi Zhao <hongyi.zhao@gmail.com>
Theory and Simulation of Materials
Hebei Polytechnic University of Science and Technology engineering
NO. 552 North Gangtie Road, Xingtai, China
^ permalink raw reply [flat|nested] 19+ messages in thread
* Sv: Install orgmode using its git repository.
2020-12-27 6:23 Install orgmode using its git repository Hongyi Zhao
2020-12-27 16:17 ` Stefan Monnier
2020-12-27 17:50 ` Eli Zaretskii
@ 2020-12-28 7:58 ` arthur miller
2 siblings, 0 replies; 19+ messages in thread
From: arthur miller @ 2020-12-28 7:58 UTC (permalink / raw)
To: Hongyi Zhao, help-gnu-emacs
I use to install org via use-package, just org repository to package. Then I also use to use something:
I use to remove built-in org directory from emacs source and symlink to latest org-source. Worked
well too. The thing is when running Emacs with -Q then org would not be present. I don't need latest
features, so I don't really care to do that any more.
________________________________
Från: help-gnu-emacs <help-gnu-emacs-bounces+arthur.miller=live.com@gnu.org> för Hongyi Zhao <hongyi.zhao@gmail.com>
Skickat: den 27 december 2020 07:23
Till: help-gnu-emacs <help-gnu-emacs@gnu.org>
Ämne: Install orgmode using its git repository.
On Ubuntu 20.10, I compiled the latest git master version of emacs,
but I can't the org-mode command from within it. So I try to install
the orgmode using its git repository according to the guidance [1] as
shown below.
$ git clone https://code.orgmode.org/bzg/org-mode.git
Public/repo/code.orgmode.org/bzg/org-mode.git
$ cd code.orgmode.org/bzg/org-mode.git
$ make autoloads
Then add the following lines into ~/.emacs.d/init.el:
(add-to-list 'load-path "~/Public/repo/code.orgmode.org/bzg/org-mode.git/lisp")
(add-to-list 'load-path
"~/Public/repo/code.orgmode.org/bzg/org-mode.git/contrib/lisp" t)
But after I started emacs and issue the instructions 'M-x org- RET', I
see the following information in the minibuffer:
Possible completions are:
org-decrypt-entries org-decrypt-entry
org-encrypt-entries org-encrypt-entry
As you can see, the org-mode is still not available. Any hints for
solving this problem is highly appreciated.
[1] https://orgmode.org/manual/Installation.html.
Regards
--
Assoc. Prof. Hongyi Zhao <hongyi.zhao@gmail.com>
Theory and Simulation of Materials
Hebei Polytechnic University of Science and Technology engineering
NO. 552 North Gangtie Road, Xingtai, China
^ permalink raw reply [flat|nested] 19+ messages in thread
* Sv: Install orgmode using its git repository.
2020-12-28 5:40 ` Hongyi Zhao
@ 2020-12-28 8:08 ` arthur miller
2020-12-28 15:53 ` Stefan Monnier
2020-12-28 21:43 ` David Masterson
2020-12-28 15:52 ` Stefan Monnier
1 sibling, 2 replies; 19+ messages in thread
From: arthur miller @ 2020-12-28 8:08 UTC (permalink / raw)
To: Hongyi Zhao, Stefan Monnier; +Cc: help-gnu-emacs
I don't think it is very safe practice to install random Joe's code directly from
some git repo. We have not yet seen malicious code (not what I know) in
Emacs community, but Emacs in that respect is as bad as MS Office from
time when VBA scripts (and viruses) were shared wildly around, or a web
browserwith JS that can do anything. Remember time when JS was off by default
in all browsers? Elisp can do whatever on your computer, so you should be
careful what you install. Installing from random git repos can open you for
more security problems then needed. I do clone lots from gitlab/github, but
I always look at the code myself before I ever run it.
Another point is that installing from git and different branches as it is possible
with straight.el or quelpa (is what OP actually wants) can eventually lead to
incompatibility between code that might be much harder to detect. I personally
don't want to bother with latest-latest of all latest because eventually it could
become a spagheti code of possible incompatibility and clashes.
________________________________
Från: help-gnu-emacs <help-gnu-emacs-bounces+arthur.miller=live.com@gnu.org> för Hongyi Zhao <hongyi.zhao@gmail.com>
Skickat: den 28 december 2020 06:40
Till: Stefan Monnier <monnier@iro.umontreal.ca>
Kopia: help-gnu-emacs <help-gnu-emacs@gnu.org>
Ämne: Re: Install orgmode using its git repository.
On Mon, Dec 28, 2020 at 1:21 PM Stefan Monnier <monnier@iro.umontreal.ca> wrote:
>
> >> BTW, you can also install the latest code from Git via package.el:
> >>
> >> M-x url-handler-mode RET ;; Assuming it's not already enabled
> >> C-x C-f https://elpa.gnu.org/devel/org.tar RET
> >> M-x package-install-from-buffer RET
> >
> > If I want to implement the above codes as a package-install-from-repo
> > function with the pakcage's URL as the argument, then how should I
> > rewrite the above code?
>
> Not sure what you're asking. Such a function would be a welcome
> addition to package.el, if that's what you mean.
I just noticed that this question has been discussed on stackexchange:
https://emacs.stackexchange.com/questions/51586/is-there-a-package-manager-for-emacs-that-can-use-git-repositories-directly
also, by the author of straight.el:
https://github.com/raxod502/straight.el#comparison-to-other-package-managers
Regards
--
Assoc. Prof. Hongyi Zhao <hongyi.zhao@gmail.com>
Theory and Simulation of Materials
Hebei Polytechnic University of Science and Technology engineering
NO. 552 North Gangtie Road, Xingtai, China
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Install orgmode using its git repository.
2020-12-28 5:40 ` Hongyi Zhao
2020-12-28 8:08 ` Sv: " arthur miller
@ 2020-12-28 15:52 ` Stefan Monnier
1 sibling, 0 replies; 19+ messages in thread
From: Stefan Monnier @ 2020-12-28 15:52 UTC (permalink / raw)
To: Hongyi Zhao; +Cc: help-gnu-emacs
>> >> BTW, you can also install the latest code from Git via package.el:
>> >>
>> >> M-x url-handler-mode RET ;; Assuming it's not already enabled
>> >> C-x C-f https://elpa.gnu.org/devel/org.tar RET
>> >> M-x package-install-from-buffer RET
>> >
>> > If I want to implement the above codes as a package-install-from-repo
>> > function with the pakcage's URL as the argument, then how should I
>> > rewrite the above code?
>>
>> Not sure what you're asking. Such a function would be a welcome
>> addition to package.el, if that's what you mean.
>
> I just noticed that this question has been discussed on stackexchange:
>
> https://emacs.stackexchange.com/questions/51586/is-there-a-package-manager-for-emacs-that-can-use-git-repositories-directly
That's not quite the same question, actually.
What I was referring to is a function which lets you install a particular
ELPA package by giving a URL to it. This usually won't allow you to
install a package directly from its Git repository (tho it may work in
some particular cases).
Stefan
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Sv: Install orgmode using its git repository.
2020-12-28 8:08 ` Sv: " arthur miller
@ 2020-12-28 15:53 ` Stefan Monnier
2020-12-28 21:43 ` David Masterson
1 sibling, 0 replies; 19+ messages in thread
From: Stefan Monnier @ 2020-12-28 15:53 UTC (permalink / raw)
To: arthur miller; +Cc: help-gnu-emacs, Hongyi Zhao
> I don't think it is very safe practice to install random Joe's code directly from
> some git repo.
FWIW, the function could/should obey `package-check-signature`.
Stefan
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Sv: Install orgmode using its git repository.
2020-12-28 8:08 ` Sv: " arthur miller
2020-12-28 15:53 ` Stefan Monnier
@ 2020-12-28 21:43 ` David Masterson
2020-12-28 23:16 ` arthur miller
1 sibling, 1 reply; 19+ messages in thread
From: David Masterson @ 2020-12-28 21:43 UTC (permalink / raw)
To: arthur miller; +Cc: help-gnu-emacs, Stefan Monnier, Hongyi Zhao
arthur miller <arthur.miller@live.com> writes:
> I don't think it is very safe practice to install random Joe's code
> directly from some git repo. We have not yet seen malicious code (not
> what I know) in Emacs community, but Emacs in that respect is as bad
> as MS Office from time when VBA scripts (and viruses) were shared
> wildly around, or a web browserwith JS that can do anything. Remember
> time when JS was off by default in all browsers? Elisp can do
> whatever on your computer, so you should be careful what you
> install. Installing from random git repos can open you for more
> security problems then needed. I do clone lots from gitlab/github, but
> I always look at the code myself before I ever run it.
>
> Another point is that installing from git and different branches as it
> is possible with straight.el or quelpa (is what OP actually wants) can
> eventually lead to incompatibility between code that might be much
> harder to detect. I personally don't want to bother with latest-latest
> of all latest because eventually it could become a spagheti code of
> possible incompatibility and clashes.
You can address these points in multiple ways:
1. A good backup and restore strategy
2. Virtual machines (ie a chromebook)
3. prioritize (m)elpa-stable over (m)elpa
4. el-get can get particular version from git
...
--
David Masterson
^ permalink raw reply [flat|nested] 19+ messages in thread
* RE: Sv: Install orgmode using its git repository.
2020-12-28 21:43 ` David Masterson
@ 2020-12-28 23:16 ` arthur miller
2020-12-29 15:33 ` Leo Butler
0 siblings, 1 reply; 19+ messages in thread
From: arthur miller @ 2020-12-28 23:16 UTC (permalink / raw)
To: David Masterson; +Cc: help-gnu-emacs, Stefan Monnier, Hongyi Zhao
Nöje of that you write is particularly adequate "addressing" of potential security vulnerability that let's potential malicious code 1) install anything on your machine 2) steal your data 3) destroy your data.
Maybe a virtual machine, but then you wouldn't be running your Emacs for anything sensitive or serious.
A reviewed package from elpa/helps gives at least some guarantee that you are not getting binary blobs and/or directly malicious code installed on your machine.
-------- Originalmeddelande --------
Från: David Masterson <dsmasterson92630@outlook.com>
Datum: 2020-12-28 22:44 (GMT+01:00)
Till: arthur miller <arthur.miller@live.com>
Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
Ämne: Re: Sv: Install orgmode using its git repository.
arthur miller <arthur.miller@live.com> writes:
> I don't think it is very safe practice to install random Joe's code
> directly from some git repo. We have not yet seen malicious code (not
> what I know) in Emacs community, but Emacs in that respect is as bad
> as MS Office from time when VBA scripts (and viruses) were shared
> wildly around, or a web browserwith JS that can do anything. Remember
> time when JS was off by default in all browsers? Elisp can do
> whatever on your computer, so you should be careful what you
> install. Installing from random git repos can open you for more
> security problems then needed. I do clone lots from gitlab/github, but
> I always look at the code myself before I ever run it.
>
> Another point is that installing from git and different branches as it
> is possible with straight.el or quelpa (is what OP actually wants) can
> eventually lead to incompatibility between code that might be much
> harder to detect. I personally don't want to bother with latest-latest
> of all latest because eventually it could become a spagheti code of
> possible incompatibility and clashes.
You can address these points in multiple ways:
1. A good backup and restore strategy
2. Virtual machines (ie a chromebook)
3. prioritize (m)elpa-stable over (m)elpa
4. el-get can get particular version from git
...
--
David Masterson
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Sv: Install orgmode using its git repository.
2020-12-28 23:16 ` arthur miller
@ 2020-12-29 15:33 ` Leo Butler
2020-12-29 17:16 ` arthur miller
` (2 more replies)
0 siblings, 3 replies; 19+ messages in thread
From: Leo Butler @ 2020-12-29 15:33 UTC (permalink / raw)
To: help-gnu-emacs
arthur miller <arthur.miller@live.com> writes:
> Nöje of that you write is particularly adequate "addressing" of potential security vulnerability that let's potential malicious code 1) install anything on your machine 2) steal your data 3) destroy your data.
>
> Maybe a virtual machine, but then you wouldn't be running your Emacs for anything sensitive or serious.
Actually, *nix systems have a very good way to handle these kinds of
threats without resort to such devices: users and groups. One can create
a user account with very limited privileges for working with unvetted
code, data, etc.
Actually, I do this for developing new code, too. That way, whatever I
break/change is contained within the confines of that account.
>
> A reviewed package from elpa/helps gives at least some guarantee that you are not getting binary blobs and/or directly malicious code installed on your machine.
Leo
>
>
> -------- Originalmeddelande --------
> Från: David Masterson <dsmasterson92630@outlook.com>
> Datum: 2020-12-28 22:44 (GMT+01:00)
> Till: arthur miller <arthur.miller@live.com>
> Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
> Ämne: Re: Sv: Install orgmode using its git repository.
>
> arthur miller <arthur.miller@live.com> writes:
>
>> I don't think it is very safe practice to install random Joe's code
>> directly from some git repo. We have not yet seen malicious code (not
>> what I know) in Emacs community, but Emacs in that respect is as bad
>> as MS Office from time when VBA scripts (and viruses) were shared
>> wildly around, or a web browserwith JS that can do anything. Remember
>> time when JS was off by default in all browsers? Elisp can do
>> whatever on your computer, so you should be careful what you
>> install. Installing from random git repos can open you for more
>> security problems then needed. I do clone lots from gitlab/github, but
>> I always look at the code myself before I ever run it.
>>
>> Another point is that installing from git and different branches as it
>> is possible with straight.el or quelpa (is what OP actually wants) can
>> eventually lead to incompatibility between code that might be much
>> harder to detect. I personally don't want to bother with latest-latest
>> of all latest because eventually it could become a spagheti code of
>> possible incompatibility and clashes.
>
> You can address these points in multiple ways:
>
> 1. A good backup and restore strategy
> 2. Virtual machines (ie a chromebook)
> 3. prioritize (m)elpa-stable over (m)elpa
> 4. el-get can get particular version from git
> ...
>
> --
> David Masterson
^ permalink raw reply [flat|nested] 19+ messages in thread
* RE: Sv: Install orgmode using its git repository.
2020-12-29 15:33 ` Leo Butler
@ 2020-12-29 17:16 ` arthur miller
2020-12-29 21:39 ` Robert Thorpe
2020-12-29 17:18 ` arthur miller
2020-12-29 23:44 ` Hongyi Zhao
2 siblings, 1 reply; 19+ messages in thread
From: arthur miller @ 2020-12-29 17:16 UTC (permalink / raw)
To: Leo Butler, help-gnu-emacs
I won't say anything about nix; it probably is very good and flexible system. I am also sure containers (docker, kubernetes etc) could be utilized to sandbox Emacs and what not. But I don't think it should not be mandatory. Emacs should run safe on bare metal.
However it is all personal. People can do whatever they want with their computers, and there are already solutions that integrate random github repos: quelpa and straight. But it is still individuals own initiative to use those. I don't Emacs should have that built in.
In my opinion it opens for more security risks then needed, and also for possibility to very easy distribute binary blobs not compatible with GPL. It is not very difficult to get in those in Emacs now either, but at least it takes individual's own actions and is not automated from Emacs out of the box.
-------- Originalmeddelande --------
Från: Leo Butler <leo.butler@umanitoba.ca>
Datum: 2020-12-29 16:49 (GMT+01:00)
Till: help-gnu-emacs <help-gnu-emacs@gnu.org>
Ämne: Re: Sv: Install orgmode using its git repository.
arthur miller <arthur.miller@live.com> writes:
> Nöje of that you write is particularly adequate "addressing" of potential security vulnerability that let's potential malicious code 1) install anything on your machine 2) steal your data 3) destroy your data.
>
> Maybe a virtual machine, but then you wouldn't be running your Emacs for anything sensitive or serious.
Actually, *nix systems have a very good way to handle these kinds of
threats without resort to such devices: users and groups. One can create
a user account with very limited privileges for working with unvetted
code, data, etc.
Actually, I do this for developing new code, too. That way, whatever I
break/change is contained within the confines of that account.
>
> A reviewed package from elpa/helps gives at least some guarantee that you are not getting binary blobs and/or directly malicious code installed on your machine.
Leo
>
>
> -------- Originalmeddelande --------
> Från: David Masterson <dsmasterson92630@outlook.com>
> Datum: 2020-12-28 22:44 (GMT+01:00)
> Till: arthur miller <arthur.miller@live.com>
> Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
> Ämne: Re: Sv: Install orgmode using its git repository.
>
> arthur miller <arthur.miller@live.com> writes:
>
>> I don't think it is very safe practice to install random Joe's code
>> directly from some git repo. We have not yet seen malicious code (not
>> what I know) in Emacs community, but Emacs in that respect is as bad
>> as MS Office from time when VBA scripts (and viruses) were shared
>> wildly around, or a web browserwith JS that can do anything. Remember
>> time when JS was off by default in all browsers? Elisp can do
>> whatever on your computer, so you should be careful what you
>> install. Installing from random git repos can open you for more
>> security problems then needed. I do clone lots from gitlab/github, but
>> I always look at the code myself before I ever run it.
>>
>> Another point is that installing from git and different branches as it
>> is possible with straight.el or quelpa (is what OP actually wants) can
>> eventually lead to incompatibility between code that might be much
>> harder to detect. I personally don't want to bother with latest-latest
>> of all latest because eventually it could become a spagheti code of
>> possible incompatibility and clashes.
>
> You can address these points in multiple ways:
>
> 1. A good backup and restore strategy
> 2. Virtual machines (ie a chromebook)
> 3. prioritize (m)elpa-stable over (m)elpa
> 4. el-get can get particular version from git
> ...
>
> --
> David Masterson
^ permalink raw reply [flat|nested] 19+ messages in thread
* RE: Sv: Install orgmode using its git repository.
2020-12-29 15:33 ` Leo Butler
2020-12-29 17:16 ` arthur miller
@ 2020-12-29 17:18 ` arthur miller
2020-12-29 23:44 ` Hongyi Zhao
2 siblings, 0 replies; 19+ messages in thread
From: arthur miller @ 2020-12-29 17:18 UTC (permalink / raw)
To: Leo Butler, help-gnu-emacs
Also if it is only for the org, one can add org package archive and fetch it via package.el already. I use to do it, so bare git access is certainly not mandatory to install latest org, if one that comes with Emacs is not enough.
-------- Originalmeddelande --------
Från: Leo Butler <leo.butler@umanitoba.ca>
Datum: 2020-12-29 16:49 (GMT+01:00)
Till: help-gnu-emacs <help-gnu-emacs@gnu.org>
Ämne: Re: Sv: Install orgmode using its git repository.
arthur miller <arthur.miller@live.com> writes:
> Nöje of that you write is particularly adequate "addressing" of potential security vulnerability that let's potential malicious code 1) install anything on your machine 2) steal your data 3) destroy your data.
>
> Maybe a virtual machine, but then you wouldn't be running your Emacs for anything sensitive or serious.
Actually, *nix systems have a very good way to handle these kinds of
threats without resort to such devices: users and groups. One can create
a user account with very limited privileges for working with unvetted
code, data, etc.
Actually, I do this for developing new code, too. That way, whatever I
break/change is contained within the confines of that account.
>
> A reviewed package from elpa/helps gives at least some guarantee that you are not getting binary blobs and/or directly malicious code installed on your machine.
Leo
>
>
> -------- Originalmeddelande --------
> Från: David Masterson <dsmasterson92630@outlook.com>
> Datum: 2020-12-28 22:44 (GMT+01:00)
> Till: arthur miller <arthur.miller@live.com>
> Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
> Ämne: Re: Sv: Install orgmode using its git repository.
>
> arthur miller <arthur.miller@live.com> writes:
>
>> I don't think it is very safe practice to install random Joe's code
>> directly from some git repo. We have not yet seen malicious code (not
>> what I know) in Emacs community, but Emacs in that respect is as bad
>> as MS Office from time when VBA scripts (and viruses) were shared
>> wildly around, or a web browserwith JS that can do anything. Remember
>> time when JS was off by default in all browsers? Elisp can do
>> whatever on your computer, so you should be careful what you
>> install. Installing from random git repos can open you for more
>> security problems then needed. I do clone lots from gitlab/github, but
>> I always look at the code myself before I ever run it.
>>
>> Another point is that installing from git and different branches as it
>> is possible with straight.el or quelpa (is what OP actually wants) can
>> eventually lead to incompatibility between code that might be much
>> harder to detect. I personally don't want to bother with latest-latest
>> of all latest because eventually it could become a spagheti code of
>> possible incompatibility and clashes.
>
> You can address these points in multiple ways:
>
> 1. A good backup and restore strategy
> 2. Virtual machines (ie a chromebook)
> 3. prioritize (m)elpa-stable over (m)elpa
> 4. el-get can get particular version from git
> ...
>
> --
> David Masterson
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Sv: Install orgmode using its git repository.
2020-12-29 17:16 ` arthur miller
@ 2020-12-29 21:39 ` Robert Thorpe
2020-12-30 0:07 ` Hongyi Zhao
0 siblings, 1 reply; 19+ messages in thread
From: Robert Thorpe @ 2020-12-29 21:39 UTC (permalink / raw)
To: arthur miller, help-gnu-emacs
For what it's worth, I agree with Arthur.
I'd point out that this sort of thing has happened before. A Python
package called "Colourama" was found to be manipulating bitcoin
addresses. When you put a bitcoin address into the clipboard it would
intercept it and replace it with a different one. Notice the British
spelling, the legitimate package was called "Colorama". The "Colourama"
package was a minor derivative with the bitcoin address trick added in.
Something similar happened to the NPM Javascript library.
We also have to remember that there's the possibility of people hacking
things like github. Or obtaining the credentials of github users and
their signing keys. The recent problems at the US DoD were caused by
Solarwinds software. The hackers got into the Solarwinds source code
repository (due to very lax security, github & gitlab are probably
better). Once in the repository they made a few changes to the
sourcecode to introduce a backdoor.
As a result, I'm fairly wary of this idea of automatic downloading. On
the other hand, for many packages it's hardly practical to read the
whole sourcecode no matter how you obtain it.
BR,
Robert Thorpe
arthur miller <arthur.miller@live.com> writes:
> I won't say anything about nix; it probably is very good and flexible system. I am also sure containers (docker, kubernetes etc) could be utilized to sandbox Emacs and what not. But I don't think it should not be mandatory. Emacs should run safe on bare metal.
>
> However it is all personal. People can do whatever they want with their computers, and there are already solutions that integrate random github repos: quelpa and straight. But it is still individuals own initiative to use those. I don't Emacs should have that built in.
>
> In my opinion it opens for more security risks then needed, and also for possibility to very easy distribute binary blobs not compatible with GPL. It is not very difficult to get in those in Emacs now either, but at least it takes individual's own actions and is not automated from Emacs out of the box.
>
>
> -------- Originalmeddelande --------
> Från: Leo Butler <leo.butler@umanitoba.ca>
> Datum: 2020-12-29 16:49 (GMT+01:00)
> Till: help-gnu-emacs <help-gnu-emacs@gnu.org>
> Ämne: Re: Sv: Install orgmode using its git repository.
>
> arthur miller <arthur.miller@live.com> writes:
>
>> Nöje of that you write is particularly adequate "addressing" of potential security vulnerability that let's potential malicious code 1) install anything on your machine 2) steal your data 3) destroy your data.
>>
>> Maybe a virtual machine, but then you wouldn't be running your Emacs for anything sensitive or serious.
>
> Actually, *nix systems have a very good way to handle these kinds of
> threats without resort to such devices: users and groups. One can create
> a user account with very limited privileges for working with unvetted
> code, data, etc.
>
> Actually, I do this for developing new code, too. That way, whatever I
> break/change is contained within the confines of that account.
>
>>
>> A reviewed package from elpa/helps gives at least some guarantee that you are not getting binary blobs and/or directly malicious code installed on your machine.
>
> Leo
>
>
>>
>>
>> -------- Originalmeddelande --------
>> Från: David Masterson <dsmasterson92630@outlook.com>
>> Datum: 2020-12-28 22:44 (GMT+01:00)
>> Till: arthur miller <arthur.miller@live.com>
>> Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
>> Ämne: Re: Sv: Install orgmode using its git repository.
>>
>> arthur miller <arthur.miller@live.com> writes:
>>
>>> I don't think it is very safe practice to install random Joe's code
>>> directly from some git repo. We have not yet seen malicious code (not
>>> what I know) in Emacs community, but Emacs in that respect is as bad
>>> as MS Office from time when VBA scripts (and viruses) were shared
>>> wildly around, or a web browserwith JS that can do anything. Remember
>>> time when JS was off by default in all browsers? Elisp can do
>>> whatever on your computer, so you should be careful what you
>>> install. Installing from random git repos can open you for more
>>> security problems then needed. I do clone lots from gitlab/github, but
>>> I always look at the code myself before I ever run it.
>>>
>>> Another point is that installing from git and different branches as it
>>> is possible with straight.el or quelpa (is what OP actually wants) can
>>> eventually lead to incompatibility between code that might be much
>>> harder to detect. I personally don't want to bother with latest-latest
>>> of all latest because eventually it could become a spagheti code of
>>> possible incompatibility and clashes.
>>
>> You can address these points in multiple ways:
>>
>> 1. A good backup and restore strategy
>> 2. Virtual machines (ie a chromebook)
>> 3. prioritize (m)elpa-stable over (m)elpa
>> 4. el-get can get particular version from git
>> ...
>>
>> --
>> David Masterson
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Sv: Install orgmode using its git repository.
2020-12-29 15:33 ` Leo Butler
2020-12-29 17:16 ` arthur miller
2020-12-29 17:18 ` arthur miller
@ 2020-12-29 23:44 ` Hongyi Zhao
2 siblings, 0 replies; 19+ messages in thread
From: Hongyi Zhao @ 2020-12-29 23:44 UTC (permalink / raw)
To: Leo Butler; +Cc: help-gnu-emacs
On Tue, Dec 29, 2020 at 11:49 PM Leo Butler <leo.butler@umanitoba.ca> wrote:
>
> arthur miller <arthur.miller@live.com> writes:
>
> > Nöje of that you write is particularly adequate "addressing" of potential security vulnerability that let's potential malicious code 1) install anything on your machine 2) steal your data 3) destroy your data.
> >
> > Maybe a virtual machine, but then you wouldn't be running your Emacs for anything sensitive or serious.
>
> Actually, *nix systems have a very good way to handle these kinds of
> threats without resort to such devices: users and groups. One can create
> a user account with very limited privileges for working with unvetted
> code, data, etc.
>
> Actually, I do this for developing new code, too. That way, whatever I
> break/change is contained within the confines of that account.
Docker is more excellent option for this sort of job.
BR,
--
Assoc. Prof. Hongyi Zhao <hongyi.zhao@gmail.com>
Theory and Simulation of Materials
Hebei Polytechnic University of Science and Technology engineering
NO. 552 North Gangtie Road, Xingtai, China
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Sv: Install orgmode using its git repository.
2020-12-29 21:39 ` Robert Thorpe
@ 2020-12-30 0:07 ` Hongyi Zhao
0 siblings, 0 replies; 19+ messages in thread
From: Hongyi Zhao @ 2020-12-30 0:07 UTC (permalink / raw)
To: Robert Thorpe; +Cc: help-gnu-emacs, arthur miller
On Wed, Dec 30, 2020 at 5:40 AM Robert Thorpe
<rt@robertthorpeconsulting.com> wrote:
>
> For what it's worth, I agree with Arthur.
>
> I'd point out that this sort of thing has happened before. A Python
> package called "Colourama" was found to be manipulating bitcoin
> addresses. When you put a bitcoin address into the clipboard it would
> intercept it and replace it with a different one. Notice the British
> spelling, the legitimate package was called "Colorama". The "Colourama"
> package was a minor derivative with the bitcoin address trick added in.
>
> Something similar happened to the NPM Javascript library.
>
> We also have to remember that there's the possibility of people hacking
> things like github. Or obtaining the credentials of github users and
> their signing keys. The recent problems at the US DoD were caused by
> Solarwinds software. The hackers got into the Solarwinds source code
> repository (due to very lax security, github & gitlab are probably
> better). Once in the repository they made a few changes to the
> sourcecode to introduce a backdoor.
>
> As a result, I'm fairly wary of this idea of automatic downloading. On
> the other hand, for many packages it's hardly practical to read the
> whole sourcecode no matter how you obtain it.
Elisp, just as any lisp derivatives, has a very steep learning curve.
They all have a fairly simple grammatical structure at the first
glimpse but it is so difficult to master and use them skillfully.
BR,
--
Assoc. Prof. Hongyi Zhao <hongyi.zhao@gmail.com>
Theory and Simulation of Materials
Hebei Polytechnic University of Science and Technology engineering
NO. 552 North Gangtie Road, Xingtai, China
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2020-12-30 0:07 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-27 6:23 Install orgmode using its git repository Hongyi Zhao
2020-12-27 16:17 ` Stefan Monnier
2020-12-28 0:12 ` Hongyi Zhao
2020-12-28 5:13 ` David Masterson
2020-12-28 5:21 ` Stefan Monnier
2020-12-28 5:40 ` Hongyi Zhao
2020-12-28 8:08 ` Sv: " arthur miller
2020-12-28 15:53 ` Stefan Monnier
2020-12-28 21:43 ` David Masterson
2020-12-28 23:16 ` arthur miller
2020-12-29 15:33 ` Leo Butler
2020-12-29 17:16 ` arthur miller
2020-12-29 21:39 ` Robert Thorpe
2020-12-30 0:07 ` Hongyi Zhao
2020-12-29 17:18 ` arthur miller
2020-12-29 23:44 ` Hongyi Zhao
2020-12-28 15:52 ` Stefan Monnier
2020-12-27 17:50 ` Eli Zaretskii
2020-12-28 7:58 ` Sv: " arthur miller
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.