Re: Unsafe file variables...

[David Kastrup]

Stefan Monnier <address@hidden> writes:

[...]

> > No.  Each change that would trigger such a message needs to be signed.
> > But if I told my system once "If Stefan Monnier has signed a change,
> > don't ask", then while you need to sign each such change you do, but a
> > hundred users need to tell their Emacs only once that they trust your
> > judgment.
> 
> Hmmm... I guess you're considering a very different usage pattern
> from mine.

Apparently.

> In my estimate of how things play out in practice, there is the
> following: 1 - "usafe file vars" are not very frequent.  2 - they're
> not very varied either (because you'll open the same file many
> times, because the same setting will be used in several files,
> because it's used for things tat don't change much, ...).

Point 1 and 2 might change in future, particularly when file contents
become "more active".  At the current point of time, it would
probably be more relevant for the user if complete Elisp files were
signed, but this is something that can be solved outside of Emacs as
long as Emacs itself does not fetch and install packages.

But when we are talking about things like texts with file variables,
or C (instead of Lisp) code with file variables and so on, and we are
talking about people working with CVS, then it becomes inconvenient if
the whole file has to be signed when the security relevant part is
just the file variable block: whenever somebody (or yourself) changes
a file, the respective signature would get invalid, even though the
safety relevant part for editing (as opposed to executing) would be
just in the file variables.

> 3 - they're mostly used "by the author, for the author".
> 4 - they'll be signed by the author of the file in 99% of the cases.

I was thinking of something different, obviously.  When we are
working on Elisp files in CVS, there will be many more people looking
at a file than just the author.

> > You are confusing the scenarios.  This sentence is for the case
> > without signatures.  It is the case I want to avoid.
> 
> For the case with signature, the author (which I expect to be the
> main user) will have to do it, just the same.

Taking Emacs code as an example: do you really think that the author
of each piece of code can be called its main user?  I should hope
that more people than just the author get to use and even view a
particular code piece.

> The problem is:
> - are there going to be more pieces of code or more authors?
>   You assume there'll be many more different pieces of code than authors,
>   whereas I expect that there'll be about as many of each.

We'll see how this pans out in future.  I was not proposing this as
something that is dearly necessary right now.

> I'm not opposing it, but I just don't think it's worth the trouble.

Currently: yes.

-- 
David Kastrup, Kriemhildstr. 15, 44793 Bochum