[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trojan Source detection/highlight in Emacs?

From: Stefan Monnier
Subject: Re: Trojan Source detection/highlight in Emacs?
Date: Tue, 02 Nov 2021 11:12:39 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)

> Now, the code there is not ready for the kind of tricks these new
> examples are playing, so it doesn't detect them.  It can be enhanced
> to do that, though.  But I'm reluctant to invest my time and energy in
> a feature that will just keep collecting dust.  So I will only work on
> this if someone is actually prepared to use this function in Emacs by
> adding some user-facing UI features, like making the problematic text
> stand out on display, or displaying a warning.

I can see two use cases:

- One that's disabled by default, and where we can expect the users to
  accept a fairly strict definition of "normal" (e.g. flag any non-ASCII
  char as suspicious).  That should be pretty easy to implement, but
  very rarely used (only by security-conscious people who happen to
  work almost exclusively with code using English identifiers and

- One that's enabled by default, but in that case it'll have to be a lot
  more permissive so as not to get in the way of people who want to
  write comments and identifiers in their mother tongue.  Making this
  permissive enough without leaving gaping security holes seems hard.

> I should also mention that Emacs has (weak) defenses against this kind
> of tricks: we show the formatting control characters on display,
> unlike other editors that hide them.  Also, cursor motion with C-f and
> C-b will seem to behave erratically if you move across the problematic
> text.  So users that actually look at the code they use will most
> probably find out that something strange is going on (if they don't
> look, no visual cue will do).

If the readers are only reviewing the code without actually editing it,
there's a significant probability that they won't move across the
problematic case with the cursor (they'll only do that with their eyes).


reply via email to

[Prev in Thread] Current Thread [Next in Thread]