[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-fi
|
From: |
Ihor Radchenko |
|
Subject: |
Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers) |
|
Date: |
Mon, 21 Apr 2025 13:40:28 +0000 |
Eli Zaretskii <eliz@gnu.org> writes:
> Sorry, I see no reason to extend our UI for allowing potentially
> harmful content beyond what we have here. Annoyance does not provide
> good guidance when security is at stake. People who are too annoyed
> have the option of making the file/directory trusted.
In theory. In practice, this simply nudges people to do
(setq trusted-content :all)
We have been there in Org mode with `org-confirm-babel-evaluate' that is
set to nil by users almost universally.
> ... Adding a
> command to trust the current buffer's content (doesn't the question
> already allow that, btw?) is okay, but let's not slip the slippery
> slope of making this too easy by providing over-reaching "never ask
> again" options, because that's exactly what malicious content will
> target.
What about providing the following options in the query
1. yes, just this time
2. yes, in this Emacs session
3. Edit trusted-content via customize interface
> doesn't the question already allow that, btw?
yes/no question does not. It rather only provides "yes, just this time".
Also, should trust be limited to specific command at hand
(org-confirm-babel-evaluate), or should it mark the buffer fully trusted?
If just for a specific command, should the existing API be modified?
> So IMO our current model should be: if you know some stuff can be
> trusted, mark it so. Otherwise, you will be prompted each time
> something potentially dangerous could happen, and will have to answer
> those prompts.
I disagree, as pointed earlier. From my experience, this simply leads to
users disabling all the security checks. Especially for frequently used
commands.
As another example, consider Flymake users who will have byte-compile
backend disabled by default. I fully expect (setq trusted-content :all)
to proliferate, just as it did for Org's `org-confirm-babel-evaluate'.
--
Ihor Radchenko // yantar92,
Org mode maintainer,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
- Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers), Ihor Radchenko, 2025/04/21
- Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers), Eli Zaretskii, 2025/04/21
- Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers), Ihor Radchenko, 2025/04/21
- Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers), Eli Zaretskii, 2025/04/21
- Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers),
Ihor Radchenko <=
- Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers), Eli Zaretskii, 2025/04/21
- Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers), Ihor Radchenko, 2025/04/21
- Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers), Eli Zaretskii, 2025/04/21
- Re: Trust API (was: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers), Ihor Radchenko, 2025/04/21
- Re: Trust API, Suhail Singh, 2025/04/23
- Re: Trust API, Ihor Radchenko, 2025/04/23
- Re: Trust API, Richard Stallman, 2025/04/26
- Re: Trust API, Eli Zaretskii, 2025/04/27
- Re: Trust API, Ihor Radchenko, 2025/04/27