Mike Kupfer writes:
Stephen J. Turnbull wrote:
> Mike Kupfer writes:
> If you restrict "safe" to "doesn't implicitly execute Lisp code
> the file" in XEmacs's default configuration, as far as I know that's
Yes, that's safe enough for me.
> > Okay, but that's not an argument against patching vulnerabilities when
> > they are discovered.
> The argument is (1) patching costs developer effort
I'm motivated to help. If we refuse to apply patches like this,
If a patch exists, and doesn't harm functionality, sure, it's worth
applying. If a patch doesn't exist, I'm not particularly motivated to
find a patch to this kind of problem.
> and (2) gives users a false sense of security. These
> vulnerabilities are introduced by design; they shouldn't be there
> at all, at least not in core.
I'm not sure I understand. In some cases the vulnerability may be
deliberate, in other cases it may just be that nobody worked through the
That seems to be true in this particular case. Nevertheless, it's not
an uncommon design. VM and desktop.el both have executable libraries
for configuration, and I would guess Gnus, too. Fortunately they only
look in one place, so they're not very easy to exploit. But although
desktop by default asks you whether to execute it, it does look for
desktop files in various places besides ~/.emacs.desktop.
In this case it appears that the upstream developers have
reconsidered an earlier approach and replaced it with something
Sure, and we would eventually pick that up in a sync. I agree that
this kind of patch is worth doing a sync earlier than we otherwise
> But AFAIK they are rarely if ever exploited, so I guess GNU
> compatibility comes first.
I'm afraid I don't understand you here.
I'm referring to allowing eval expressions and arbitrary variables in
local variable sections, the practice of using executable files for
configuration, and so on. I'd really rather not support them. There
are reasonable ways to do these things without exposing yourself to
any halfway devious mind's mischief.
 Of course it's not possible to "unsupport" `load', but we can
document that it's a bad idea and how to do most configuration without
 I'm pretty close to halfway devious, but I'm too old and too busy
trying to keep up with a 15-year-old's mischief to commit any of my
XEmacs-Beta mailing list