GNU bug report logs - #58774
29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly

Previous Next

Full log

View this message in rfc822 format

From: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>
To: Jean Louis <bugs <at> gnu.support>
Cc: 58774 <at> debbugs.gnu.org, Max Nikulin <manikulin <at> gmail.com>, emacs-orgmode <at> gnu.org
Subject: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly
Date: Fri, 28 Oct 2022 01:14:40 +0200

[Message part 1 (text/plain, inline)]

Jean Louis <bugs <at> gnu.support> writes:

> * Dr. Arne Babenhauserheide <arne_bab <at> web.de> [2022-10-28 01:11]:
>> 
>> Max Nikulin <manikulin <at> gmail.com> writes:
>> 
>> > How are you going to distinguish your personal files and arbitrary
>> > files from non-trusted sources? By signing your files and maintaining
>> > list of trusted certificates?
>> 
>> One idea that could work well is to add an explicit allow-list
>> trusted-sources-to-allow-unsafe-modes with entries of domain and
>> path-prefix where people can add trusted sources.
>
> That implies that for every content type you are supposed to do the
> same.

No, you misunderstood the proposal.

> And what makes you want to limit people how they want to run their Org
> files?

The wish to limit the fallout when¹ this gets weaponized by criminals.

If you explicitly allow-list trusted sources, bad actors have to take
over your trusted server to attack you. That’s much less likely than bad
actors taking over some random long-unmainted server of a link you
stumbled upon.

¹: when, not if.

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.