bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers

[Eli Zaretskii]

> Cc: Stefan Monnier <monnier@iro.umontreal.ca>,
>  Stefan Kangas <stefankangas@gmail.com>
> Date: Sun, 15 Dec 2024 11:16:17 +0100
> From:  Daniel Mendler via "Bug reports for GNU Emacs,
>  the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
> 
> Daniel Mendler <mail@daniel-mendler.de> writes:
> 
> > Thank you for the recent addition of `trusted-content-p'. Is there a
> > possibility to use `trusted-content-p' in buffers which are not backed
> > by a file? I use Flymake in *scratch* or similar buffers and it seems
> > that this won't continue to work given that `trusted-content-p' needs a
> > `buffer-file-truename'.
> >
> > My suggestion would be to replace `trusted-files' by a
> > `trusted-buffer-function' which is a predicate function or a list of
> > functions. The functions could then check a custom list of trusted files
> > or a custom list of trusted buffers.
> >
> > Alternatively offer `trusted-files', `trusted-buffers' and
> > `trusted-buffer-function`? `trusted-buffers' could for example rely on
> > `buffer-match-p`.
> 
> I have also ported back `trusted-content-p' via Compat. I had the plan
> to use `trusted-content-p' in external packages which could potentially
> perform dangerous operations. This way the new feature can be used to
> retroactively improve the safety even of older Emacs installations.
> 
> For example in my GNU ELPA Corfu package the plan was to check
> `(trusted-content-p)' when starting auto completion. To be clear - Corfu
> is safe by default, since auto completion is disabled by default.
> However many people enable auto completion unconditionally in all
> buffers.
> 
> Now with the limitation of `trusted-content-p' to file-backed buffers, I
> cannot do this, since otherwise auto completion would be lost for
> example in *scratch* buffers. Each package could invent its own trust
> mechanism or alternatively one could limit the `trusted-content-p' check
> to only file-backed buffers. Both alternatives would be worse than going
> through the `trusted-content-p' standard mechanism.
> 
> Therefore by making the `trusted-content-p' mechanism too limited, we
> get less safety than with a more flexible mechanism. Nevertheless I
> would avoid creating a complex mechanism given that the mechanism is
> supposed to be part of Emacs 30. The simplest approach I can think of
> this this `trusted-buffer-function', a hook called by
> `run-hook-with-args-until-success'. Later on trust functions can be
> provided and added to the hook list. The trust functions could check
> file lists, buffer lists, regexps etc. Users can also write their own
> predicate functions.

What do you envision trusted-buffer-function should do in a buffer
that doesn't visit a file?