bug#75017: 31.0.50; Untrusted user lisp files

[Stefan Kangas <stefankangas@gmail.com>]

Eli Zaretskii <eliz@gnu.org> writes:

>> From: john muhl <jm@pub.pink>
>> Date: Sat, 21 Dec 2024 14:48:52 -0600
>>
>> user-init-file is trusted by default but not other user files.
>>
>>   C-xf ~/.emacs.d/early-init.el
>>   M-x flymake-mode
>>
>> Produces a warning:
>>
>>   Disabling elisp-flymake-byte-compile in early-init.el (untrusted content)
>>
>> custom-file (when not the same as user-init-file) also causes a
>> warning. Should these also be trusted by default?
>
> No, not IMO.  Please add those files you know you can trust to the
> list of trusted files, and let's see if that works well for you.  If,
> after you have used that for some time, you have observations to
> report or changes to suggest, please do, but let's please base such
> observations on some sufficiently significant (read: long enough)
> experience.
>
>> What about files put in place by a system admin or your distro’s
>> Emacs package (e.g. site-run-file, default.el)? They generally
>> require root priviledges to install so if they can’t be trusted
>> you’re already in trouble.
>
> On my system, these files do not need any admin privileges, so I don't
> think we should trust them by default.  Users who know that these
> files are modified only by trusted admins can and probably should add
> them to the list of trusted files, if they need that (in general,
> there should be no need to run Flymake in those files, in which case
> these files don't need to be added even if they are trusted).

I don't think it's meaningful to consider them as not
`trusted-content-p`, when we automatically load these files into any
running Emacs session.

> Btw, if we are talking about trusted admins, then entire directories
> should be trusted, for example /usr/share or /usr/share/emacs.

Yes, though we'd have to discuss which directories those are;
`load-path` and `source-directory` are two candidates.

> There's a reason why we didn't do that by default.

My understanding is that we just didn't consider all of these cases.
At least I didn't.

If others did, it wasn't sufficiently explicit for me to notice.