Clarification on using safe-local-variable-values

Clarification on using safe-local-variable-values

[Andrew M. Scott]

I'm confused at how to use the new safe-local-variable-values
added on Feb 14, 2006 is supposed to work.

% emacs -Q &

C-x C-f ~/.mailrc, where ~/.mailrc is under RCS control

which has this at the bottom:

# Local Variables:
# after-save-hook: build-mail-aliases
# End:

I get prompted with a *Local Variables* buffer:

The local variables list in .mailrc
contains variables that are risky (**).

Do you want to apply it? You can type
y  -- to apply the local variables list
n  -- to ignore the local variables list
!  -- to apply the local variables list, and mark these values (*) as
      safe (in the future, they can be set automatically.)\n\n")

 ** after-save-hook : build-mail-aliases

and with minibuffer:

Please type y, n, or !:

Q1: Curiously, with my cursor now at the end of the minibuffer line,
    Emacs did not respond to C-x o or mouse (I wanted to select the
    contents of the *Local Variables* buffer for submission in this
    email). Is this intentional?

Q2: Exactly where/how is the result of option "!" stored?

    I chose option "!" and visited the ~/.mailrc file.

    C-h v safe-local-variable-values still returned nil

    yet C-h N addition hints that safe-local-variable-values 
    should be updated with my change (somewhere?):

    At the prompt, the user can choose to save the contents of this local
    variables list to `safe-local-variable-values'.  This new customizable
    option is a list of variable-value pairs that are known to be safe.
    Variables can also be marked as safe with the existing
    `safe-local-variable' property (see `safe-local-variable-p').
    However, risky variables will not be added to
    `safe-local-variable-values' in this way.

    I also looked and didn't see any update to any ~/.customize* or 
    ~/.emacs.d/* files, or any other file in ~/.

    If I kill the ~/.mailrc buffer and revisit it, I get prompted
    with the same *Local Variables* buffer scenario as the 
    first time.

Thanks,
Andy Scott

In GNU Emacs 22.0.50.1 (x86_64-unknown-linux-gnu, X toolkit)
 of 2006-03-07 on chls308
X server distributor `The XFree86 Project, Inc', version 11.0.40201000

Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: C
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8
  default-enable-multibyte-characters: t

Major mode: Emacs-Lisp

Minor modes in effect:
  tooltip-mode: t
  auto-compression-mode: t
  tool-bar-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  unify-8859-on-encoding-mode: t
  utf-translate-cjk-mode: t
  line-number-mode: t

Recent input:
C-x C-f . m a i l r c <return> C-x o <help-echo> <help-echo> 
<help-echo> <down-mouse-1> <drag-mouse-1> <down-mouse-1> 
<drag-mouse-1> C-x C-c <help-echo> <down-mouse-1> <help-echo> 
<drag-mouse-1> <help-echo> <down-mouse-1> <mouse-1> 
C-g C-h v s a f e - <tab> <tab> v a <backspace> <backspace> 
e v <tab> <return> C-h v s a f e - <tab> <tab> v a 
<tab> <return> C-x o C-e C-b C-b C-b C-b <return> C-x 
1 C-s ! <down-mouse-4> <mouse-4> <down-mouse-4> <mouse-4> 
<down-mouse-4> <mouse-4> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <menu-bar> <help-menu> <re
port-emacs-bug>

Recent messages:
Loading pp...done
Type C-x 1 to remove help window.  
Making completion list...
Loading find-func...done
Loading jka-compr...done
uncompressing files.el.gz...done
Mark saved where search started
Loading emacsbug...
Loading regexp-opt...done
Loading emacsbug...done

Re: Clarification on using safe-local-variable-values

[Chong Yidong]

"Andrew M. Scott" <amscott1@sedona.ch.intel.com> writes:

> % emacs -Q &
>
> I get prompted with a *Local Variables* buffer:
>
> The local variables list in .mailrc
> contains variables that are risky (**).
>
> Do you want to apply it? You can type
> y  -- to apply the local variables list
> n  -- to ignore the local variables list
> !  -- to apply the local variables list, and mark these values (*) as
>       safe (in the future, they can be set automatically.)\n\n")

For Emacs -Q, you should not be prompted to save, since there is no
custom-file or user-init-file.  I will change this.

> Q1: Curiously, with my cursor now at the end of the minibuffer line,
>     Emacs did not respond to C-x o or mouse (I wanted to select the
>     contents of the *Local Variables* buffer for submission in this
>     email). Is this intentional?

Yes.  (There are similar prompts elsewhere in Emacs, such as the
disabled-command prompt --- e.g., C-x C-l.)

> Q2: Exactly where/how is the result of option "!" stored?

Same place as any other customizations.  As I mentioned, I'll remove
the option to save for the case where custom-file and user-init-file
are nil.

Re: Clarification on using safe-local-variable-values

[Andrew M. Scott]

Chong,

    Chong> For Emacs -Q, you should not be prompted to save, since
    Chong> there is no custom-file or user-init-file. I will change
    Chong> this.

    >> Q2: Exactly where/how is the result of option "!" stored?

    Chong> Same place as any other customizations. As I mentioned,
    Chong> I'll remove the option to save for the case where
    Chong> custom-file and user-init-file are nil.

I did use emacs -Q for the bug report.

I see the same symptoms when using
% emacs &

where:
custom-file    is "/eng/eng10/amscott1/.emacs-customize"
user-init-file is "/eng/eng10/amscott1/.emacs"

C-h C-f ~/.mailrc

After answering "!" in the *Local Variables* buffer,

C-h v safe-local-variable-values returns nil

FYI, both my ~/.emacs and ~/.emacs-customize are normally
write-protected (under RCS), but even when checked out and running the
same commands after emacs invocation, I don't see changes to
safe-local-variables-values nor any files.

Andy Scott

Re: Clarification on using safe-local-variable-values

[Chong Yidong]

"Andrew M. Scott" <amscott1@sedona.ch.intel.com> writes:

> % emacs &
>
> where:
> custom-file    is "/eng/eng10/amscott1/.emacs-customize"
> user-init-file is "/eng/eng10/amscott1/.emacs"
>
> C-h C-f ~/.mailrc
>
> After answering "!" in the *Local Variables* buffer,
>
> C-h v safe-local-variable-values returns nil
>
> FYI, both my ~/.emacs and ~/.emacs-customize are normally
> write-protected (under RCS), but even when checked out and running the
> same commands after emacs invocation, I don't see changes to
> safe-local-variables-values nor any files.

That is not my experience.  Please send a precise test case.  For
instance, with an empty user init file, I do

  echo "-*- foo: 1 -*-" > foo.txt
  emacs foo.txt
  !
  C-h v safe-local-variable-values RET

  -| safe-local-variable-values is a variable defined in `files.el'.
     Its value is ((foo . 1))

Re: Clarification on using safe-local-variable-values

[Andrew M. Scott]

>>>>> "Chong" == Chong Yidong <cyd@stupidchicken.com> writes:

    Chong> "Andrew M. Scott" <amscott1@sedona.ch.intel.com> writes:
    >> % emacs &
    >> 
    >> where: custom-file is "/eng/eng10/amscott1/.emacs-customize"
    >> user-init-file is "/eng/eng10/amscott1/.emacs"
    >> 
    >> C-h C-f ~/.mailrc
    >> 
    >> After answering "!" in the *Local Variables* buffer,
    >> 
    >> C-h v safe-local-variable-values returns nil
    >> 
    >> FYI, both my ~/.emacs and ~/.emacs-customize are normally
    >> write-protected (under RCS), but even when checked out and
    >> running the same commands after emacs invocation, I don't see
    >> changes to safe-local-variables-values nor any files.

    Chong> That is not my experience. Please send a precise test case.
    Chong> For instance, with an empty user init file, I do

    Chong>   echo "-*- foo: 1 -*-" > foo.txt emacs foo.txt ! C-h v
    Chong>   safe-local-variable-values RET

    Chong>   -| safe-local-variable-values is a variable defined in
    Chong>   `files.el'.
    Chong>      Its value is ((foo . 1))

Testcase: The issue seems to be with using the alternate Local
Variables section at the end of a file:

% mv .mailrc .mailrc.bak
% echo "# Local Variables:" >! .mailrc
% echo "# after-save-hook: ((lambda () (build-mail-aliases)))" >> .mailrc
% echo "# End:" >> .mailrc

% cat .mailrc
# Local Variables:
# after-save-hook: ((lambda () (build-mail-aliases)))
# End:

% emacs .mailrc  and answer the prompt with "!"

C-h v safe-local-variable-values returns nil

safe-local-variable-values is a variable defined in `files.el'.
Its value is nil
             ^^^^ this is wrong

C-h v after-save-hook

after-save-hook is a variable defined in `files.el'.
Its value is 
((lambda nil
     (build-mail-aliases)))

Local in buffer .mailrc; global value is 
(vm-unblock-new-mail fast-lock-save-cache-after-save-file write-exec-hook)

Documentation:
Normal hook that is run after a buffer is saved to its file.


Andy Scott

Re: Clarification on using safe-local-variable-values

[Chong Yidong]

"Andrew M. Scott" <amscott1@sedona.ch.intel.com> writes:

> % mv .mailrc .mailrc.bak
> % echo "# Local Variables:" >! .mailrc
> % echo "# after-save-hook: ((lambda () (build-mail-aliases)))" >> .mailrc
> % echo "# End:" >> .mailrc
>
> % cat .mailrc
> # Local Variables:
> # after-save-hook: ((lambda () (build-mail-aliases)))
> # End:
>
> % emacs .mailrc  and answer the prompt with "!"
>
> C-h v safe-local-variable-values returns nil
>
> safe-local-variable-values is a variable defined in `files.el'.
> Its value is nil
>              ^^^^ this is wrong

That is working as intended.  Emacs does not save after-save-hook
because that is a risky local variable, and those are never saved.

We should probably avoid offering to save when the only local
variables in the list are risky ones; I will implement that.

Re: Clarification on using safe-local-variable-values

[Kim F. Storm]

Chong Yidong <cyd@stupidchicken.com> writes:

>> # after-save-hook: ((lambda () (build-mail-aliases)))

> That is working as intended.  Emacs does not save after-save-hook
> because that is a risky local variable, and those are never saved.

I don't quite understand...

If the user has said that it is safe to use that specific value
of that variable, why can't you save that value?  The reason why
the user want to save it, is to avoid the question in the future.

Maybe you can [somehow] adjust the spec of safe-local-variable-values to
include either
- the file name where this setting is allowed, or
- a regexp mathings file name where this setting is allowed, or
- the major mode of the buffer where this is a valid setting

WDYT?

A fundamentally different approach is this:

When asked to save local variables+values, make an MD5 hash of the
buffer local variables/values (+ full file-name if any of the 
variables is local-buffer-risky), and add that MD5 to a new
list safe-local-variable-hash which has alists of the form:

("MD5-askdjashdskj" . ALLOW_DENY)

Then, next time file is opened, before asking for confirmation of
local variables, emacs consults this list and if the MD5 is already
there, allow the local variables if ALLOW_DENY is t, reject them (silently)
if ALLOW_DENY is nil

In all other cases ask user for confirmation.

This has the added benefit of allowing a user to permanently
reject executing a given set of buffer-local variables.

-- 
Kim F. Storm <storm@cua.dk> http://www.cua.dk

Re: Clarification on using safe-local-variable-values

[Chong Yidong]

storm@cua.dk (Kim F. Storm) writes:

> Chong Yidong <cyd@stupidchicken.com> writes:
>
>>> # after-save-hook: ((lambda () (build-mail-aliases)))
>
>> That is working as intended.  Emacs does not save after-save-hook
>> because that is a risky local variable, and those are never saved.
>
> I don't quite understand...
>
> If the user has said that it is safe to use that specific value
> of that variable, why can't you save that value?  The reason why
> the user want to save it, is to avoid the question in the future.

I suggested this some time ago, but nobody responded.

Note that allowing saves for risky local variables is practically
equivalent to eliminating the concept of risky local variables.  If
Emacs allows saves for any variable not considered safe, the
`risky-local-variable' property has no special effect (as far as the
loading of local variables is concerned).

Re: Clarification on using safe-local-variable-values

[Richard Stallman]

    Q1: Curiously, with my cursor now at the end of the minibuffer line,
	Emacs did not respond to C-x o or mouse (I wanted to select the
	contents of the *Local Variables* buffer for submission in this
	email). Is this intentional?

Of course.  When emacs is reading a single character of input,
it does not respond to editing commands.

	yet C-h N addition hints that safe-local-variable-values 
	should be updated with my change (somewhere?):

The code seems to set safe-local-variable-values, then update .emacs
to bring back the same value in future sessions.  So if the value of
safe-local-variable-values does not change, that is anomalous.

	If I kill the ~/.mailrc buffer and revisit it, I get prompted
	with the same *Local Variables* buffer scenario as the 
	first time.

Well, that shows ! failed to do its job.  Can you debug it?

Re: Clarification on using safe-local-variable-values

[Richard Stallman]

    > !  -- to apply the local variables list, and mark these values (*) as
    >       safe (in the future, they can be set automatically.)\n\n")

    For Emacs -Q, you should not be prompted to save, since there is no
    custom-file or user-init-file.  I will change this.

You can't save them for future sessions, but you can save them for the
rest of the current session.  So ! should still be available with -q,
only the explanation should be different.

Re: Clarification on using safe-local-variable-values

[Luc Teirlinck]

Chong Yidong wrote:

   Note that allowing saves for risky local variables is practically
   equivalent to eliminating the concept of risky local variables.  If
   Emacs allows saves for any variable not considered safe, the
   `risky-local-variable' property has no special effect (as far as the
   loading of local variables is concerned).

I believe that Richard decided that _every_ variable should be
considered risky, except when explicitly marked safe.  It would seem
that this new concept of riskiness supersedes the old one and renders
it obsolete.

Sincerely,

Luc.

Re: Clarification on using safe-local-variable-values

[Richard Stallman]

    I believe that Richard decided that _every_ variable should be
    considered risky, except when explicitly marked safe.

I decided that every variable should be considered _somewhat_ risky,
if not explicitly marked safe.  This does not _necessarily_ mean
there is no such thing as degrees of risk, so it does not _necessarily_ mean
we should eliminate the concept of marking a variable as risky.

I am not sure that the current way of handling variables marked
risky is really best.  But it might be useful.  So let's leave it
alone, for now.  There is no need to change it.

Re: Clarification on using safe-local-variable-values

[Kim F. Storm]

Chong Yidong <cyd@stupidchicken.com> writes:

> Note that allowing saves for risky local variables is practically
> equivalent to eliminating the concept of risky local variables.  

Why?  If we approve it for a specific combination of variables/values
in a specific file only, how can it be equivalent?

>                                                                  If
> Emacs allows saves for any variable not considered safe, the
> `risky-local-variable' property has no special effect (as far as the
> loading of local variables is concerned).

Did you read my proposal to do an MD5 checksum over the local
variables + filename if any of the variables are risky?

I think it is a _safe_ way to save a specific combination of risky
variables.

-- 
Kim F. Storm <storm@cua.dk> http://www.cua.dk