GNU bug report logs - #74627
.dir-locals.el warning messages are confusing

Previous Next

To reply to this bug, email your comments to 74627 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Björn Lindqvist <bjourne <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: .dir-locals.el warning messages are confusing
Date: Sat, 30 Nov 2024 18:20:35 +0100

Warnings about potential security issues should be easy to understand,
but the warnings produced by .dir-locals.el are not. When I open a
file in the Emacs source code it shows:

    The local variables list in /home/bjourne/p/emacs/
    or .dir-locals.el contains values that may not be safe (*).

Why does it say "or"? What does the asterisk (*) mean? Could the
descriptions for "!" and "i" be clearer so it is more obvious what is
applied and what is ignored?


-- 
mvh/best regards Björn Lindqvist

Message #8 received at 74627 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Björn Lindqvist <bjourne <at> gmail.com>,
 Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 74627 <at> debbugs.gnu.org
Subject: Re: bug#74627: .dir-locals.el warning messages are confusing
Date: Thu, 05 Dec 2024 11:38:51 +0200

> From: Björn Lindqvist <bjourne <at> gmail.com>
> Date: Sat, 30 Nov 2024 18:20:35 +0100
> 
> Warnings about potential security issues should be easy to understand,
> but the warnings produced by .dir-locals.el are not. When I open a
> file in the Emacs source code it shows:
> 
>     The local variables list in /home/bjourne/p/emacs/
>     or .dir-locals.el contains values that may not be safe (*).
> 
> Why does it say "or"?

Because that function is called with a single flag argument which
could be set non-nil either due to unsafe file-local variables or due
to .dir-locals.el.

> What does the asterisk (*) mean?

It means the variables marked with the asterisk in the list of
below this text could be unsafe.

> Could the descriptions for "!" and "i" be clearer so it is more
> obvious what is applied and what is ignored?

Please tell what is unclear there.  The current text is

  !  -- to apply the local variables list, and permanently mark these
	values (*) as safe (in the future, they will be set automatically.)
  i  -- to ignore the local variables list, and permanently mark these
	values (*) as ignored"

Message #11 received at 74627 <at> debbugs.gnu.org (full text, mbox):

From: Björn Lindqvist <bjourne <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: Stefan Monnier <monnier <at> iro.umontreal.ca>, 74627 <at> debbugs.gnu.org
Subject: Re: bug#74627: .dir-locals.el warning messages are confusing
Date: Wed, 11 Dec 2024 09:18:33 +0100

Hello Eli,

Den tors 5 dec. 2024 kl 10:38 skrev Eli Zaretskii <eliz <at> gnu.org>:

> > Warnings about potential security issues should be easy to understand,
> > but the warnings produced by .dir-locals.el are not. When I open a
> > file in the Emacs source code it shows:
> >
> >     The local variables list in /home/bjourne/p/emacs/
> >     or .dir-locals.el contains values that may not be safe (*).
> >
> > Why does it say "or"?
>
> Because that function is called with a single flag argument which
> could be set non-nil either due to unsafe file-local variables or due
> to .dir-locals.el.

So there are multiple sources of unsafe variables, but the function
responsible for formulating the error message doesn't know what the
source is? Regardless of whether my guess is correct, the text should
not refer to the local variables in "/home/bjourne/p/emacs/" because
there can be no unsafe variables in directories (only files).

> > What does the asterisk (*) mean?
>
> It means the variables marked with the asterisk in the list of
> below this text could be unsafe.

Aha. Emacs lists both safe and unsafe variables. Why does it list the
safe ones? The warning would be much clearer if the safe variables
were omitted since they don't matter. That would make it clear what
variables "!" and "i" choices apply or mark as safe/ignored.


--
mvh/best regards Björn Lindqvist

Message #14 received at 74627 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: Björn Lindqvist <bjourne <at> gmail.com>, 
 Eli Zaretskii <eliz <at> gnu.org>
Cc: Stefan Monnier <monnier <at> iro.umontreal.ca>, 74627 <at> debbugs.gnu.org
Subject: Re: bug#74627: .dir-locals.el warning messages are confusing
Date: Wed, 11 Dec 2024 03:16:34 -0800

Björn Lindqvist <bjourne <at> gmail.com> writes:

> Aha. Emacs lists both safe and unsafe variables. Why does it list the
> safe ones? The warning would be much clearer if the safe variables
> were omitted since they don't matter. That would make it clear what
> variables "!" and "i" choices apply or mark as safe/ignored.

You have to see all of them to make an informed decision, I think.
Otherwise, an unsafe variable might be referring to a safe one, which is
the one containing the malicious bits.

Message #17 received at 74627 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Björn Lindqvist <bjourne <at> gmail.com>
Cc: monnier <at> iro.umontreal.ca, 74627 <at> debbugs.gnu.org
Subject: Re: bug#74627: .dir-locals.el warning messages are confusing
Date: Wed, 11 Dec 2024 17:00:11 +0200

> From: Björn Lindqvist <bjourne <at> gmail.com>
> Date: Wed, 11 Dec 2024 09:18:33 +0100
> Cc: Stefan Monnier <monnier <at> iro.umontreal.ca>, 74627 <at> debbugs.gnu.org
> 
> Den tors 5 dec. 2024 kl 10:38 skrev Eli Zaretskii <eliz <at> gnu.org>:
> 
> > > Warnings about potential security issues should be easy to understand,
> > > but the warnings produced by .dir-locals.el are not. When I open a
> > > file in the Emacs source code it shows:
> > >
> > >     The local variables list in /home/bjourne/p/emacs/
> > >     or .dir-locals.el contains values that may not be safe (*).
> > >
> > > Why does it say "or"?
> >
> > Because that function is called with a single flag argument which
> > could be set non-nil either due to unsafe file-local variables or due
> > to .dir-locals.el.
> 
> So there are multiple sources of unsafe variables, but the function
> responsible for formulating the error message doesn't know what the
> source is?

Yes, that's my reading of the code.

> Regardless of whether my guess is correct, the text should
> not refer to the local variables in "/home/bjourne/p/emacs/" because
> there can be no unsafe variables in directories (only files).

Well, we consider variables in .dir-locals.el as belonging to the
directory in which it lives.

> > > What does the asterisk (*) mean?
> >
> > It means the variables marked with the asterisk in the list of
> > below this text could be unsafe.
> 
> Aha. Emacs lists both safe and unsafe variables. Why does it list the
> safe ones? The warning would be much clearer if the safe variables
> were omitted since they don't matter. That would make it clear what
> variables "!" and "i" choices apply or mark as safe/ignored.

I can only guess: showing all of them lets you see the problematic one
in context.

Message #20 received at 74627 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: Björn Lindqvist <bjourne <at> gmail.com>,
 74627 <at> debbugs.gnu.org
Subject: Re: bug#74627: .dir-locals.el warning messages are confusing
Date: Wed, 11 Dec 2024 10:31:03 -0500

>> Regardless of whether my guess is correct, the text should
>> not refer to the local variables in "/home/bjourne/p/emacs/" because
>> there can be no unsafe variables in directories (only files).
> Well, we consider variables in .dir-locals.el as belonging to the
> directory in which it lives.

I think it would be easier to understand for the reader if we can point
more precisely to the source (especially since now it can also come
from `.editorconfig`).


        Stefan

Message #23 received at 74627 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: bjourne <at> gmail.com, 74627 <at> debbugs.gnu.org
Subject: Re: bug#74627: .dir-locals.el warning messages are confusing
Date: Wed, 11 Dec 2024 18:55:30 +0200

> From: Stefan Monnier <monnier <at> iro.umontreal.ca>
> Cc: Björn Lindqvist <bjourne <at> gmail.com>,
>   74627 <at> debbugs.gnu.org
> Date: Wed, 11 Dec 2024 10:31:03 -0500
> 
> >> Regardless of whether my guess is correct, the text should
> >> not refer to the local variables in "/home/bjourne/p/emacs/" because
> >> there can be no unsafe variables in directories (only files).
> > Well, we consider variables in .dir-locals.el as belonging to the
> > directory in which it lives.
> 
> I think it would be easier to understand for the reader if we can point
> more precisely to the source (especially since now it can also come
> from `.editorconfig`).

Sure, but that's not what I meant to explain.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.