Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop

[Po Lu]

Ulrich Mueller <ulm@gentoo.org> writes:

> Sorry, but I've installed this on emacs-29 with an explicit ack from
> both Eli and Stefan.

Why was this considered okay for emacs-29?

IMHO we should stop kow-towing to the information security people who
make a huge fuss over every single bug, especially bugs like this one
which only show up when you specifically try to trigger them.

Proprietary JavaScript routinely does things far more nasty and
malicious than a hyperlink that can be read before being clicked.

> An alternative solution would be to drop emacsclient-mail.desktop
> altogether, since this desktop file isn't part of any core
> functionality. It could be readded once emacsclient has gained a
> --funcall argument, so that arguments can be passed in a sane way.

Or perhaps Emacs 29 can forgo this change entirely.  Why would anyone
click a URL containing suspicious looking Lisp code, and who would
actually try to do nasty things with such URLs?

If you have to go out of your way to trigger a bug in a branch that is
supposed to be stable, then fixing it can wait.

Just my two cents.  Feel free to disregard them if you want, but keep in
mind it will result in many angry users.