[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security problem in emacs

From: Miles Bader
Subject: Re: security problem in emacs
Date: 01 Jan 2003 03:00:29 +0900

Georgi Guninski <guninski@guninski.com> writes:
> 1. I found 2 security bugs on release version of emacs in less than
>    week. How many left do you think are? Of course the idea of warning
>    about eval or hooks seems good, but covering all cases of non-obvious
>    evals in a large project is difficult task.

To be fair, both your examples were already taken care of.

> 2. Lusers like micro$oft thought in the beginning that scripting in
>    email/word is a good idea and it is sandboxed. Now it is off by
>    default in their email products. Think about it.

This is not scripting.  Whether or not emacs is as restrictive as it
should be, I don't know, but there's clearly a large subset of
variables/values that can quite safely be set.

Yes, if emacs were the kernel, it would have to take a more conservative
approach -- but it's not, and convience _is_ important.

[Of course, it helps that the `local variables' section is not
interpreted for such obviously suspicious sources such as email or news,
and that emacs users are in general a more clueful lot than typical MS
product users]

> 3. Local variables are not portable accross editors, which makes them
>    almost useless, unless every document has all the version of local
>    variables for every editor.

Who cares about other editors?  I certainly don't.

`Cars give people wonderful freedom and increase their opportunities.
 But they also destroy the environment, to an extent so drastic that
 they kill all social life' (from _A Pattern Language_)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]