From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 6CJRA163WWNjHwEAbAwnHQ (envelope-from ) for ; Thu, 27 Oct 2022 00:40:30 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id eGNyAl63WWMonwAAG6o9tA (envelope-from ) for ; Thu, 27 Oct 2022 00:40:30 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7FE10DF86 for ; Thu, 27 Oct 2022 00:40:29 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1onp3U-00040Y-Lq; Wed, 26 Oct 2022 18:39:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onp3S-00040O-KX for emacs-orgmode@gnu.org; Wed, 26 Oct 2022 18:39:22 -0400 Received: from mail-pl1-x632.google.com ([2607:f8b0:4864:20::632]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1onp3F-0007R9-9b for emacs-orgmode@gnu.org; Wed, 26 Oct 2022 18:39:11 -0400 Received: by mail-pl1-x632.google.com with SMTP id jo13so12050156plb.13 for ; Wed, 26 Oct 2022 15:39:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:in-reply-to:date :subject:to:from:user-agent:references:from:to:cc:subject:date :message-id:reply-to; bh=xYMaDMh9LaHAbNZCPyccUADxVuTyw73ZxkgP9heyvCM=; b=Ux5d5fyxieHSklSfZW24Nu1ADHAYWphW4nK07aC1XmX5yBynqx056Py0+nIzUHuf/A xR0XvVEKj3PcuvcPj5hkjL4giNW0p08qRfTrkGDLMd9mqF/fTa7J6HR0+8vbc9sqC1FB gvItNPoOuWPI7I3f+xZDb1hR5YHPFw407eKhBWPE2QlOMug/NbCwVTYlZmaXCZ0kS0tv RDL3q6cNdAsTznsFF86Lazy2SkkOMxEKQGJOlFqDA7hCJUuJa0ilNhT7iXXo0ZN6t4cg 7zqNf1bvsvfKY6MsNx1U4bGFNCuU+dzE9Htt9lwT1aOxocJZHR3DUB/j7Ga/kJzoE6EB pfCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:in-reply-to:date :subject:to:from:user-agent:references:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xYMaDMh9LaHAbNZCPyccUADxVuTyw73ZxkgP9heyvCM=; b=O6/DsGm88EcpnBfzjY9H5KAwbekRk3TYd8wWQeY9uu2uXx3lNnX6OFs9ypPJiEch9Z k64Pzs/AeByRTtKdC+UHiBzr49G8PR3CIrwZCjzCZKs4BP9sOOUMARlCjw3Lak+8zF5l xRbn/Ta50IVL78J5mOtvyj3DSrDdv89ujSe8rz/lnluNey6Rzn4dR1TbtpbsYhSuWm1p BQKU9t/3Gh5wZHkNWSspnzZ2bqm0XYCKg+QkZW1JUWDaphusNuKYDibYcLZy5LU+BfG+ +KE+k2AcTOSATRkMyWiFWYRa5WFc7Andhsk6wrtw47IsVk3bc9p6T5lBnUhFx6gzL3M9 f/SQ== X-Gm-Message-State: ACrzQf1RujSTH/ysZyqgYb1nzs54wMeh7EblVtxFAnGJ969mTV7wShjF euJM/JB1sXdW8LBr2lew6hNX8V1ReaM= X-Google-Smtp-Source: AMsMyM7t3RehVC3e5vFyC5PPlQKJBXpVJfTv4iDHlLKb/ILviToh4RJs8H875gmO8sR78ydz/sJLig== X-Received: by 2002:a17:90a:ee44:b0:213:604:53ad with SMTP id bu4-20020a17090aee4400b00213060453admr6711881pjb.155.1666823946942; Wed, 26 Oct 2022 15:39:06 -0700 (PDT) Received: from dingbat (220-235-181-183.dyn.iinet.net.au. [220.235.181.183]) by smtp.gmail.com with ESMTPSA id a10-20020a65640a000000b0041c0c9c0072sm3232826pgv.64.2022.10.26.15.39.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Oct 2022 15:39:06 -0700 (PDT) References: <86bkq0qf8p.fsf@protected.rcdrun.com> <87bkq0t03l.fsf@web.de> <87v8o7qzff.fsf@localhost> <87zgdjoz3r.fsf@localhost> <87eduusst7.fsf@web.de> User-agent: mu4e 1.9.1; emacs 29.0.50 From: Tim Cross To: emacs-orgmode@gnu.org Subject: Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly Date: Thu, 27 Oct 2022 08:41:13 +1100 In-reply-to: <87eduusst7.fsf@web.de> Message-ID: <86y1t2ky60.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::632; envelope-from=theophilusx@gmail.com; helo=mail-pl1-x632.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Emacs-orgmode" Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1666824029; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=xYMaDMh9LaHAbNZCPyccUADxVuTyw73ZxkgP9heyvCM=; b=nlupCJIzv+u/dvGA8Qq+K7nOXfaNj0K9wBmDohYS8Q3f2uAXSKyy6A1VjOUKZQYEGR2Fbk doGM3GVcBX/N2AdaGdCaUhW0g8237XEOLuryQvNO6FIZi+ia5m/bYwZJFYDNMWb4CJ4nCw jJDyPIo9gs/AQWwKc5Rcbek0m+HbpoIWHMXDbHJ9t6VW7Nz/Rci6TlZiqMvtprTRk8iyd2 30+syroWipiiNZLGbUtJJ8UiqdMl8ZZ8cIoBGO3GNcuwClkTA2OV0noJlj5NXP+zi7FkyC s3J5MuR6wn3LhnbUr+YTScNhENg8lFu+7qYmHHT9pafC2PoSe/Ee0Mg/OJC5og== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1666824029; a=rsa-sha256; cv=none; b=Hc0DhJzDRUYhzVEkfFgtNQlXnIt+LFSmOgJsJxCBlXnoCUYEVI3HmDMp3W7dcYpOM9GKl+ uq7zHKDiZNbDp2aizzjO4ylPJAGBGBcywhSnTMP6095mEEQH0MqutYIDApta9/gtDM2SZQ L9xwYDjtIcwBtF92OHajtjfQwb/lgpGFLsToSuog182hmNjvLmqBDIORczc78jwQbSdttX Tf+BtdpbBa/rvJ56/Fx9NqYILMoPDWON/PCM24vesnF0CYhnXNPVOl27zBxlhy6D26svok N2xpkfUbnwIMt+nDixqRcDuuNRP+Gk3MtJaTCdP2BvKU9hFePjmXwU7nGu3srg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=Ux5d5fyx; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=Ux5d5fyx; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 7FE10DF86 X-Spam-Score: -2.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: zSnQINiMmMlO "Dr. Arne Babenhauserheide" writes: > [[PGP Signed Part:Undecided]] > > Ihor Radchenko writes: > >> If necessary, we can introduce a special variable in Org mode that will >> disable all the potential third-party code evaluation, even if user has >> customized Org to execute code without prompt. > > If that would be part of org-mode, this would be close to a > safe-org-mode. > > An important part in what I wrote about safe-org-mode is that it has to > ensure that what is shown cannot trick the user into thinking something > else would get run. > > A way to reduce risk would be to introduce a domain-allow-list (or > prefix-allow-list) in eww for filetypes that could be unsafe, so you > could for example add "orgmode.org" to your allowlist and for those > domains org-files would auto-open in org-mode. > > Such security risks have a tendency of getting weaponized down the road > when they really hurt. Like when people didn=E2=80=99t care about npm > dependencies and had them suddenly deleting their files. And opening in > the currently used Emacs may give a malicious file access to remote > files opened via tramp, even if you (by virtue of being careful) require > a password for the connection to sensitive servers. That way, running > something in Emacs can be even more dangerous than running it in the > shell. > and people constantly use M-x package-install to install packages from GNU ELPA, nonGNU ELPA and MELPA, often with this misguided belief that these packages are being vetted by the security fairies.=20 As was seen after the openssl security failures, just because lots of people use something and just because lots of people may work on and look at the code, it is no guarantee the code is secure or has no malicious content. Our systems have become far too complex for such ad hoc processes providing any assurance. Likewise, as has been shown with NPM and various browser 'extension stores', packages which were once trustworthy can easily become owned/developed by new parties with less ability or are less trustworthy.=20 While adding the sorts of controls you outline is not a bad idea, I think it is far more important to train people to accept that their system simply is not secure. You should start from the position that Emacs is not secure. Why? Because it is a large, complex and powerful piece of software which has no formal security analysis or testing and is usually augmented with numerous packages of unknown quality from largely unknown sources. Essentially, Emacs already suffers from all the same issues identified for systems like node and the NPM ecosystem.=20 The only think which is really providing protection for us Emacs users is that the rewards for compromising Emacs are too low for the effort required. Similar to why you don't see many viruses on macOS - it isn't that it is significantly more secure than Windows (these days), but rather the pool of potential 'targets' and scale of rewards are higher when you focus on the Windows environment. It is all about return on invest= ment. Security is a huge challenge for open source. The effort and resources required to constantly analyse and test projects for security issues is too high for most medium to large projects. The fact many open source projects also rely on other open source projects for various libraries etc also means that in addition to worrying about the security of the code in a project, the project also has to worry about 'supply chain' security i.e. ensure the external project dependencies are also secure and securely managed. So what do we do? In the famous words of Douglas Adams "Don't Panic! Rather than worry if some package or change will make Emacs less secure, assume it already is insecure and then examine how you use it and consider both the likelihood of being compromised and the impact when that occurs. This will differ depending on who you are and what you do. For example, if your a researcher working in a field where your research has high commercial value or a journalist working in countries with a poor human rights history and government parties may want to compromise your sources etc, both the likelihood and consequences could be high and you may need to take additional measures or modify how you use emacs (e.g. only use packages you have reviewed and tested and only update after formal review and testing of updated version, don't use Emacs for email or web browsing, only run emacs in an isolated locked down container etc). On the other hand, if your just a keen hobbyist, the likelihood and consequences of a security breach are both likely low and you may decide adding additional packages is an acceptable risk. Even if you decide your risks are low, you may still decide to not use Emacs for some purposes. For example, you might decide not to use Emacs for password management or not use Emacs packages which require you to keep sensitive data (toekns, passwords, API keys etc) using insecure mechanisms etc. Keep in mind that convenience and complexity are often the two biggest threats to security. Assess risks within your own personal context as what is appropriate for one person may not be for another.