|
From: | Georgi Guninski |
Subject: | Re: security problem in emacs |
Date: | Tue, 31 Dec 2002 17:42:59 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux) |
Alfred M. Szmidt wrote:
Is the new attached file also fixed? Emacs CVS gives a warning about the code.
So since emacs CVS fixes at least 2 security bugs you may think about releasing a new version or at least patches.
I suggest you disable local variables by default - they are not portable and some people use emacs for examining untrusted log files or read mail. Disabling local variables completely seems silly. Making Emacs warn the user when running local-hook's or eval's is a far better idea; which is done in CVS. Local variables are very useful.
I continue to disagree that local variables on by default is a good idea, but am tired of arguing about it.
So here are some last arguments:1. I found 2 security bugs on release version of emacs in less than week. How many left do you think are? Of course the idea of warning about eval or hooks seems good, but covering all cases of non-obvious evals in a large project is difficult task.
2. Lusers like micro$oft thought in the beginning that scripting in email/word is a good idea and it is sandboxed. Now it is off by default in their email products. Think about it.
3. Local variables are not portable accross editors, which makes them almost useless, unless every document has all the version of local variables for every editor.
georgi
[Prev in Thread] | Current Thread | [Next in Thread] |