From: Liliana Marie Prikler <liliana.prikler@gmail.com>
To: Max Brieiev <max.brieiev@gmail.com>
Cc: Konrad Hinsen <konrad.hinsen@fastmail.net>,
"Thompson, David" <dthompson2@worcester.edu>,
57878@debbugs.gnu.org
Subject: bug#57878: Minimal reproducible setup
Date: Thu, 13 Oct 2022 20:23:06 +0200 [thread overview]
Message-ID: <603e94929389d6d4c61939fb3a7251ea74d632ae.camel@gmail.com> (raw)
In-Reply-To: <87wn943w9p.fsf@gmail.com>
Am Donnerstag, dem 13.10.2022 um 12:31 +0300 schrieb Max Brieiev:
> > I think this reasoning really falls flat in presence of any non-
> > Emacs package manager. Like, obviously wanting to natively compile
> > packages managed by (dpkg, rpm, pacman, emerge, guix), but not
> > natively compiling a random elisp script you just downloaded from
> > the web is a legitimate use case.
>
> If security is a concern, you should not load random Elisp in the
> first place. It is much easier to just directly run harmful elisp,
> then to exploit native compiler, which stays silent until after you
> evaluate some (possibly harmful) elisp.
The nature of compiled code being compiled makes it much easier to
exploit, however. Assume you have a genuine dash.el, but a malicious
person delivers you a dash.eln with some backdoor. Unless you know how
to read x86 assembly, you won't debug the latter, whereas you could
reasonably find the former if you're an Elisp hacker.
This is typically not a concern for Guix, where the challenge mechanism
provides tools to highlight that something is going wrong, but it might
be a concern for traditional distros. Then again, the same applies to
bytecode too, and here as well the solution is to typically use a
trusted package manager.
Cheers
next prev parent reply other threads:[~2022-10-13 18:24 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-17 9:09 bug#57878: Emacs native compilation on startup can crash the system Konrad Hinsen
2022-09-17 10:28 ` bug#57878: Minimal reproducible setup Konrad Hinsen
2022-09-17 15:45 ` Konrad Hinsen
2022-09-17 23:19 ` Liliana Marie Prikler
2022-09-18 18:35 ` Liliana Marie Prikler
2022-09-19 6:04 ` Konrad Hinsen
2022-09-19 8:51 ` Konrad Hinsen
2022-10-02 0:15 ` Thompson, David
2022-10-02 0:23 ` Liliana Marie Prikler
2022-10-02 8:25 ` Konrad Hinsen
2022-10-12 19:42 ` Liliana Marie Prikler
2022-10-13 9:31 ` Max Brieiev
2022-10-13 18:23 ` Liliana Marie Prikler [this message]
2022-10-14 16:07 ` zimoun
2022-10-14 18:22 ` Liliana Marie Prikler
2022-10-15 10:11 ` zimoun
2022-10-15 14:40 ` Liliana Marie Prikler
2022-10-15 15:40 ` zimoun
2022-10-15 16:30 ` Liliana Marie Prikler
2022-10-25 16:23 ` Max Brieiev
2022-10-25 18:31 ` Liliana Marie Prikler
2022-10-26 7:46 ` zimoun
2022-10-11 10:04 ` zimoun
2022-10-13 10:06 ` Max Brieiev
2023-10-12 14:50 ` bug#57878: Emacs native compilation on startup can crash the system Ludovic Courtès
2023-10-14 14:37 ` Konrad Hinsen
2022-12-09 14:30 ` bug#57878: Some further investigation Konrad Hinsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=603e94929389d6d4c61939fb3a7251ea74d632ae.camel@gmail.com \
--to=liliana.prikler@gmail.com \
--cc=57878@debbugs.gnu.org \
--cc=dthompson2@worcester.edu \
--cc=konrad.hinsen@fastmail.net \
--cc=max.brieiev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).