GNU bug report logs -
#74879
30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers
Previous Next
Full log
View this message in rfc822 format
Eli Zaretskii <eliz <at> gnu.org> writes:
>> Cc: Stefan Monnier <monnier <at> iro.umontreal.ca>,
>> Stefan Kangas <stefankangas <at> gmail.com>
>> Date: Sun, 15 Dec 2024 11:16:17 +0100
>> From: Daniel Mendler via "Bug reports for GNU Emacs,
>> the Swiss army knife of text editors" <bug-gnu-emacs <at> gnu.org>
>>
>> Daniel Mendler <mail <at> daniel-mendler.de> writes:
>>
>> > Thank you for the recent addition of `trusted-content-p'. Is there a
>> > possibility to use `trusted-content-p' in buffers which are not backed
>> > by a file? I use Flymake in *scratch* or similar buffers and it seems
>> > that this won't continue to work given that `trusted-content-p' needs a
>> > `buffer-file-truename'.
>> >
>> > My suggestion would be to replace `trusted-files' by a
>> > `trusted-buffer-function' which is a predicate function or a list of
>> > functions. The functions could then check a custom list of trusted files
>> > or a custom list of trusted buffers.
>> >
>> > Alternatively offer `trusted-files', `trusted-buffers' and
>> > `trusted-buffer-function`? `trusted-buffers' could for example rely on
>> > `buffer-match-p`.
>>
>> I have also ported back `trusted-content-p' via Compat. I had the plan
>> to use `trusted-content-p' in external packages which could potentially
>> perform dangerous operations. This way the new feature can be used to
>> retroactively improve the safety even of older Emacs installations.
>>
>> For example in my GNU ELPA Corfu package the plan was to check
>> `(trusted-content-p)' when starting auto completion. To be clear - Corfu
>> is safe by default, since auto completion is disabled by default.
>> However many people enable auto completion unconditionally in all
>> buffers.
>>
>> Now with the limitation of `trusted-content-p' to file-backed buffers, I
>> cannot do this, since otherwise auto completion would be lost for
>> example in *scratch* buffers. Each package could invent its own trust
>> mechanism or alternatively one could limit the `trusted-content-p' check
>> to only file-backed buffers. Both alternatives would be worse than going
>> through the `trusted-content-p' standard mechanism.
>>
>> Therefore by making the `trusted-content-p' mechanism too limited, we
>> get less safety than with a more flexible mechanism. Nevertheless I
>> would avoid creating a complex mechanism given that the mechanism is
>> supposed to be part of Emacs 30. The simplest approach I can think of
>> this this `trusted-buffer-function', a hook called by
>> `run-hook-with-args-until-success'. Later on trust functions can be
>> provided and added to the hook list. The trust functions could check
>> file lists, buffer lists, regexps etc. Users can also write their own
>> predicate functions.
>
> What do you envision trusted-buffer-function should do in a buffer
> that doesn't visit a file?
`trusted-buffer-function' should be a hook variable, which could be set
to multiple functions, e.g., #'trusted--files-p and
#'trusted--buffers-p. The function `trusted--files-p' would check the
variable `trusted-files' similar to the existing code in the emacs-30
branch.
The function `trusted--buffers-p' could check another variable
`trusted-buffers' which specifies a list of buffer name regexps or
probably even better a `buffer-match-p' condition. This way the user
could specify buffers which they consider safe, for example *scratch*.
In the end it is up to the user how the variables are configured, as is
already the case with `trusted-files'. The user must define which
directories/files/buffers they consider safe.
Daniel
This bug report was last modified 56 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.