bug#75017: 31.0.50; Untrusted user lisp files

[Eli Zaretskii]

> From: Stefan Kangas <stefankangas@gmail.com>
> Date: Mon, 23 Dec 2024 14:10:30 +0000
> Cc: monnier@iro.umontreal.ca, jm@pub.pink, 75017@debbugs.gnu.org, 
>       acorallo@gnu.org
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > So if such a file somehow materializes there, I want to know, pronto.
> 
> First, I note that it's likely already game over if an attacker can
> write to `site-init-file`, because they can then just as easily write to
> your init file (or other relevant files in `load-path`) instead.
> 
> But to do what you suggest, we would need to start with deciding under
> what circumstances it is not expected to find a file in this location,
> and then not just warn but refuse to load it if it meets that criteria.
> I don't know how to design such criteria.
> 
> If we can figure out a way to do that, then I agree that it would be
> consistent not to treat this file as `trusted-content-p`, when it exists
> unexpectedly.

I think this is over-engineering.  Yes, there are situations where it
makes sense to trust site-init-file.  No, they are not 100% of the
possible situations.  Which in my book means we should leave it to
users to decide whether to trust that file or not.