RE: Sv: Install orgmode using its git repository.

[arthur miller]

I won't say anything about nix; it probably is very good and flexible system. I 
am also sure containers (docker, kubernetes etc) could be utilized to sandbox 
Emacs and what not. But I don't think it should not be mandatory. Emacs should 
run safe on bare metal.

However it is all personal. People can do whatever they want with their 
computers, and there are already solutions that integrate random github repos: 
quelpa and straight. But it is still individuals own initiative to use those. I 
don't Emacs should have that built in.

In my opinion it opens for more security risks then needed, and also for 
possibility to very easy distribute binary blobs not compatible with GPL. It is 
not very difficult to get in those in Emacs now either, but at least it takes 
individual's own actions and is not automated from Emacs out of the box.


-------- Originalmeddelande --------
Från: Leo Butler <leo.butler@umanitoba.ca>
Datum: 2020-12-29 16:49 (GMT+01:00)
Till: help-gnu-emacs <help-gnu-emacs@gnu.org>
Ämne: Re: Sv: Install orgmode using its git repository.

arthur miller <arthur.miller@live.com> writes:

> Nöje of that you write is particularly adequate "addressing" of potential 
> security vulnerability that let's potential malicious code 1) install 
> anything on  your machine 2) steal your data 3) destroy your data.
>
> Maybe a virtual machine, but then you wouldn't be running your Emacs for 
> anything  sensitive or serious.

Actually, *nix systems have a very good way to handle these kinds of
threats without resort to such devices: users and groups. One can create
a user account with very limited privileges for working with unvetted
code, data, etc.

Actually, I do this for developing new code, too. That way, whatever I
break/change is contained within the confines of that account.

>
> A reviewed package from elpa/helps gives at least some guarantee that you are 
> not getting binary blobs and/or directly malicious code installed on your 
> machine.

Leo


>
>
> -------- Originalmeddelande --------
> Från: David Masterson <dsmasterson92630@outlook.com>
> Datum: 2020-12-28 22:44 (GMT+01:00)
> Till: arthur miller <arthur.miller@live.com>
> Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier 
> <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
> Ämne: Re: Sv: Install orgmode using its git repository.
>
> arthur miller <arthur.miller@live.com> writes:
>
>> I don't think it is very safe practice to install random Joe's code
>> directly from some git repo. We have not yet seen malicious code (not
>> what I know) in Emacs community, but Emacs in that respect is as bad
>> as MS Office from time when VBA scripts (and viruses) were shared
>> wildly around, or a web browserwith JS that can do anything. Remember
>> time when JS was off by default in all browsers?  Elisp can do
>> whatever on your computer, so you should be careful what you
>> install. Installing from random git repos can open you for more
>> security problems then needed. I do clone lots from gitlab/github, but
>> I always look at the code myself before I ever run it.
>>
>> Another point is that installing from git and different branches as it
>> is possible with straight.el or quelpa (is what OP actually wants) can
>> eventually lead to incompatibility between code that might be much
>> harder to detect. I personally don't want to bother with latest-latest
>> of all latest because eventually it could become a spagheti code of
>> possible incompatibility and clashes.
>
> You can address these points in multiple ways:
>
> 1. A good backup and restore strategy
> 2. Virtual machines (ie a chromebook)
> 3. prioritize (m)elpa-stable over (m)elpa
> 4. el-get can get particular version from git
> ...
>
> --
> David Masterson