GNU bug report logs - #74879
30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers

Previous Next

Package: emacs;

Reported by: Daniel Mendler <mail <at> daniel-mendler.de>

Date: Sun, 15 Dec 2024 00:40:02 UTC

Severity: normal

Found in version 30.0.92

Full log

Message #125 received at 74879 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: Daniel Mendler <mail <at> daniel-mendler.de>
Cc: Dmitry Gutov <dmitry <at> gutov.dev>, 74879 <at> debbugs.gnu.org,
 Stefan Monnier <monnier <at> iro.umontreal.ca>
Subject: Re: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be
 used for non-file buffers
Date: Sat, 11 Jan 2025 13:54:22 +0000

Daniel Mendler <mail <at> daniel-mendler.de> writes:

> As I argued, using bwrap for package compilation will not yield
> additional security benefits, since this will only push the confirmation
> slightly to the future, to the time when the package is loaded.

"Slightly to the future" could be "never" if the package is unused.

(Assuming that we also do something about autoloading.)

>>> Which additional benefits do you see if ELPA packages are compiled
>>> inside bwrap? The trust will only be pushed a little to the future.
>>
>> Consider packages that are used very rarely.  I'd prefer to have
>> `php-mode' installed, but I can't even remember the last time I had to
>> look at a PHP file.  It could be more than 10 years ago.
>
> I see your point. Like you, I probably have not opened certain file
> types in years, but I have the modes around. So what do you envision?

While I like some of your ideas, the point that I was making is simply
that it would be better if ELisp compilation took place in a safe
sandbox.  I don't claim that this will fix all security issues, but only
that it will specifically fix one issue: code from packages or visited
files would no longer run with the same privileges as Emacs when
installing packages or with flymake.

If you are not convinced that this will improve security, then that's
fine.  We can agree to disagree.

Meanwhile, I think you have presented some other good ideas.  Feature
requests and patches to implement those will be enthusiastically
received.  Thanks in advance.

> My argument is that the `php-mode' you have installed is considered to
> be safe, since you trusted it back then. Hopefully you have checked it
> carefully back then and installed it from a source you trust.

That model doesn't work here, because I install rarely-used-mode with something
like

    (use-package rarely-used-mode :ensure t)

which means that it's installed again and again on every new machine, as
well potentially also every time I say 'M-x package-upgrade-all'.
This bug report was last modified 55 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.