RE: Sv: Install orgmode using its git repository.

[arthur miller]

Also if it is only for the org, one can add org package archive and fetch it 
via package.el already. I use to do it, so bare git access is certainly not 
mandatory to install latest org, if one that comes with Emacs is not enough.


-------- Originalmeddelande --------
Från: Leo Butler <leo.butler@umanitoba.ca>
Datum: 2020-12-29 16:49 (GMT+01:00)
Till: help-gnu-emacs <help-gnu-emacs@gnu.org>
Ämne: Re: Sv: Install orgmode using its git repository.

arthur miller <arthur.miller@live.com> writes:

> Nöje of that you write is particularly adequate "addressing" of potential 
> security vulnerability that let's potential malicious code 1) install 
> anything on  your machine 2) steal your data 3) destroy your data.
>
> Maybe a virtual machine, but then you wouldn't be running your Emacs for 
> anything  sensitive or serious.

Actually, *nix systems have a very good way to handle these kinds of
threats without resort to such devices: users and groups. One can create
a user account with very limited privileges for working with unvetted
code, data, etc.

Actually, I do this for developing new code, too. That way, whatever I
break/change is contained within the confines of that account.

>
> A reviewed package from elpa/helps gives at least some guarantee that you are 
> not getting binary blobs and/or directly malicious code installed on your 
> machine.

Leo


>
>
> -------- Originalmeddelande --------
> Från: David Masterson <dsmasterson92630@outlook.com>
> Datum: 2020-12-28 22:44 (GMT+01:00)
> Till: arthur miller <arthur.miller@live.com>
> Kopia: Hongyi Zhao <hongyi.zhao@gmail.com>, Stefan Monnier 
> <monnier@iro.umontreal.ca>, help-gnu-emacs <help-gnu-emacs@gnu.org>
> Ämne: Re: Sv: Install orgmode using its git repository.
>
> arthur miller <arthur.miller@live.com> writes:
>
>> I don't think it is very safe practice to install random Joe's code
>> directly from some git repo. We have not yet seen malicious code (not
>> what I know) in Emacs community, but Emacs in that respect is as bad
>> as MS Office from time when VBA scripts (and viruses) were shared
>> wildly around, or a web browserwith JS that can do anything. Remember
>> time when JS was off by default in all browsers?  Elisp can do
>> whatever on your computer, so you should be careful what you
>> install. Installing from random git repos can open you for more
>> security problems then needed. I do clone lots from gitlab/github, but
>> I always look at the code myself before I ever run it.
>>
>> Another point is that installing from git and different branches as it
>> is possible with straight.el or quelpa (is what OP actually wants) can
>> eventually lead to incompatibility between code that might be much
>> harder to detect. I personally don't want to bother with latest-latest
>> of all latest because eventually it could become a spagheti code of
>> possible incompatibility and clashes.
>
> You can address these points in multiple ways:
>
> 1. A good backup and restore strategy
> 2. Virtual machines (ie a chromebook)
> 3. prioritize (m)elpa-stable over (m)elpa
> 4. el-get can get particular version from git
> ...
>
> --
> David Masterson