[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security problem in emacs
From: |
Miles Bader |
Subject: |
Re: security problem in emacs |
Date: |
01 Jan 2003 03:00:29 +0900 |
Georgi Guninski <guninski@guninski.com> writes:
> 1. I found 2 security bugs on release version of emacs in less than
> week. How many left do you think are? Of course the idea of warning
> about eval or hooks seems good, but covering all cases of non-obvious
> evals in a large project is difficult task.
To be fair, both your examples were already taken care of.
> 2. Lusers like micro$oft thought in the beginning that scripting in
> email/word is a good idea and it is sandboxed. Now it is off by
> default in their email products. Think about it.
This is not scripting. Whether or not emacs is as restrictive as it
should be, I don't know, but there's clearly a large subset of
variables/values that can quite safely be set.
Yes, if emacs were the kernel, it would have to take a more conservative
approach -- but it's not, and convience _is_ important.
[Of course, it helps that the `local variables' section is not
interpreted for such obviously suspicious sources such as email or news,
and that emacs users are in general a more clueful lot than typical MS
product users]
> 3. Local variables are not portable accross editors, which makes them
> almost useless, unless every document has all the version of local
> variables for every editor.
Who cares about other editors? I certainly don't.
-Miles
--
`Cars give people wonderful freedom and increase their opportunities.
But they also destroy the environment, to an extent so drastic that
they kill all social life' (from _A Pattern Language_)