From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: package security auditing and isolation Date: Thu, 06 Apr 2017 16:12:22 -0400 Message-ID: References: <87h9211v1c.fsf@lifelogs.com> <87d1cp1qvd.fsf@lifelogs.com> <8737dl1gol.fsf@lifelogs.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1491509583 28114 195.159.176.226 (6 Apr 2017 20:13:03 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 6 Apr 2017 20:13:03 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Apr 06 22:12:57 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cwDlq-0005Sa-RA for ged-emacs-devel@m.gmane.org; Thu, 06 Apr 2017 22:12:42 +0200 Original-Received: from localhost ([::1]:47553 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cwDlw-0002RQ-Pi for ged-emacs-devel@m.gmane.org; Thu, 06 Apr 2017 16:12:48 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36494) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cwDlq-0002R7-AG for emacs-devel@gnu.org; Thu, 06 Apr 2017 16:12:43 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cwDln-0006zE-1T for emacs-devel@gnu.org; Thu, 06 Apr 2017 16:12:42 -0400 Original-Received: from [195.159.176.226] (port=58844 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cwDlm-0006z0-RA for emacs-devel@gnu.org; Thu, 06 Apr 2017 16:12:38 -0400 Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1cwDld-0004CI-AI for emacs-devel@gnu.org; Thu, 06 Apr 2017 22:12:29 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 37 Original-X-Complaints-To: usenet@blaine.gmane.org Cancel-Lock: sha1:jpxMjce3H70DP5ku0TBELbN4fhI= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 195.159.176.226 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:213722 Archived-At: > We have to operate openly, because it's the only practical choice other > than forming a cabal or ignoring the problem. Agreed. > Heuristics are not what I had in mind. You mentioned "finding the function calls that can be dangerous", which to me sounds like the usual flawed approach of "anti-virus" looking for the known exploits. > a) Can the parse tree of a package be analyzed safely (without running > code in the package)? Is it deterministic? Yes, currently the reader is pretty much unaffected by Elisp code. > b) If the parse tree of a package is analyzed, and only has whitelisted > functions such as `string-equal' in it, does that make the package safe? We have unsafep.el which tries to use such a white-list approach. I doubt it's really bulletproof, but in any case I don't think you could write a useful Elisp package with that subset. [ IIRC it was introduced as part of ses.el to check safety of formulas in SES spreadsheets, so full-generality was not a goal. ] > c) Can the parse tree of a package be compared deterministically at two > separate VCS checkpoints to find what's changed? Yes, of course. > d) Can the changes to the parse tree between two VCS checkpoints be > signed by a reviewer? Technically, yes, of course. Stefan