GNU bug report logs - #75017
31.0.50; Untrusted user lisp files

Previous Next

Package: emacs;

Reported by: john muhl <jm <at> pub.pink>

Date: Sat, 21 Dec 2024 20:50:02 UTC

Severity: normal

Found in version 31.0.50

Full log

Message #89 received at 75017 <at> debbugs.gnu.org (full text, mbox):

From: Sean Whitton <spwhitton <at> spwhitton.name>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: dmitry <at> gutov.dev, jm <at> pub.pink, stefankangas <at> gmail.com,
 75017 <at> debbugs.gnu.org
Subject: Re: bug#75017: 31.0.50; Untrusted user lisp files
Date: Fri, 27 Dec 2024 13:36:55 +0000

Hello,

On Fri 27 Dec 2024 at 10:35am +02, Eli Zaretskii wrote:

>> From: Sean Whitton <spwhitton <at> spwhitton.name>
>> Cc: Eli Zaretskii <eliz <at> gnu.org>,  jm <at> pub.pink,  stefankangas <at> gmail.com,
>>   75017 <at> debbugs.gnu.org
>> Date: Fri, 27 Dec 2024 07:39:16 +0000
>>
>> For Debian we'll probably patch in so everything that we install on the
>> system is automatically trusted.  It seems natural to me to see this as
>> the distributor's responsibility.
>
> I think this is the end-user's responsibility, not yours.  So I urge
> you to reconsider.  At the very least ask the user at installation
> time whether she wants to declare the entire tree trusted, but don't
> do it unconditionally, because it basically renders this change in
> large part ineffective, and then why did we even bother to do it,
> delaying the release etc.?

It sounds like I am significantly misunderstanding something.  I thought
that this trusted-files change was about, e.g., random Lisp files in my
~/Downloads/.  Debian will certainly not be marking those as trusted!

Let me step back a bit.

If you install Emacs on the next release of Debian and you enable
installing all suggested packages, you'll also get a bunch of major
modes from GNU ELPA and elsewhere, such as markdown-mode (thanks to
Xiyue Deng for sorting out the metadata such that these other modes are
suggested by our package manager).

These are Debian-vetted versions of these packages; we have lots of
users who don't want to use package.el directly.  The Lisp is installed
under /usr/share/emacs/site-lisp/elpa-src.  It's equally as safe as the
code for Emacs itself; the same people (Debian Developers) have upload
access for Emacs and for all those other major modes.  So, I would have
thought we would be marking those as trusted on behalf of our users.

Does this still seem wrong to you?  Can you see what I've misunderstood?

-- 
Sean Whitton
This bug report was last modified 171 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.