Re: DSO-style FFI

[Ted Zlatanov]

On Sat, 19 Oct 2013 18:33:27 +0100 Andy Moreton <address@hidden> wrote: 

AM> On Fri 18 Oct 2013, Ted Zlatanov wrote:
>> On Sat, 12 Oct 2013 14:55:26 -0400 Stefan Monnier <address@hidden> wrote: 
>> 
>>>> The problems I see are A) that it would be trivial to use such an
>>>> interface to crash or subvert emacs from elisp,
>> 
SM> This is a fundamental property of anything that lets gives access to
SM> "any" library.  DSO or FFI is in the same boat.  IOW, if we really
SM> consider it as too dangerous, then we can't provide anything related to
SM> an FFI or dynamic loading of code.
>> 
>> This is where package signing becomes important.  We can require two
>> signatures from two separate reviewers for high-risk packages.

AM> Package signing is not really relevant here: knowing who signed a
AM> package does not magically prevent emacs from crashing. If you want to
AM> prevent crashes, then you need to isolate the third party code by
AM> running it in a separate process.

A separate process doesn't guarantee safety either, depending on the
platform and the process owner.

Double signing would require two independent reviewers to sign off on
the package release.  This gives some assurance that the code is not
apparently or intentionally harmful by not-so-magical means.

Ted