help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

eval myths - Re: How to tame compiler?


From: Jean Louis
Subject: eval myths - Re: How to tame compiler?
Date: Fri, 30 Apr 2021 23:23:03 +0300
User-agent: Mutt/2.0.6 (2021-03-06)

* Jorge P. de Morais Neto <jorge+list@disroot.org> [2021-04-30 17:29]:
> Hi all!
> 
> Em [2021-04-22 qui 10:46:59-0400], Stefan Monnier escreveu:
> 
> >> Is there a way to avoid these warnings?
> >
> > Yes: don't abuse `eval` ;-)
> 
> Jean Louis, could you provide a little more detail on what are you using
> ~eval~ for?  Some tasks accomplished by eval can be done more safely by
> other means.  For example, if you just want symbol indirection, you can
> use ~symbol-value~ (there is also ~symbol-function~).  If you want to
> apply a function object to a sequence of arguments, you can use ~apply~
> or ~funcall~.
> 
> I know little about Elisp; more experienced hackers may know about other
> mechanisms that avoid the need for ~eval~.

Good read:
https://en.wikipedia.org/wiki/Eval#Security_risks

My eval-ing is equally dangerous as Org Babel evaling. If I write some
destructive commands, well, it will be destructive.

There is no special security risk there, as eval-ing does not take
place online. But I could as well do it online, even then there need
not be any security risk as I can tell which data goes into eval and
decide not to include dynamic data, but currently I do not see any
need for that.

I could write text with eval-ing markup and have it interpolated by
using Emacs on the fly, it would be pretty fast WWW publishing. Let us
say I wish to say when is document last modified, I could just
include:

Last modified: ⟦ (last-modified) ⟧ and it would interpolate into time
stamp of the file in question.

Eval I use also in the nodes in the PostgreSQL database. I am thinking
also to have various database types define for themselves their
presentation or export functions. Right now I have Emacs hashes in the
database. It is similar to properties in Org mode, though I have
properties also as PostgreSQL array type. Some document entry could be
saved in the hash, it expands PostgreSQL data type into something that
Emacs understands, such hash has to be evaled.

Let us say, I defined "Markdown Flavour X" as type, then the type
could have its functions inside of itself in the database. That would
be evaluated with eval and run. HTML could be generated, or some other
program. Instead of hard coding it statically in a program, a remote
or collaborative program could simply access the database by which
access program would be extended, fetched from remote database and
executed. Of course it gives to the remote resource full control about
which program is there. But then there can be PGP signature for
verification if necessary.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

Sign an open letter in support of Richard M. Stallman
https://stallmansupport.org/
https://rms-support-letter.github.io/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]