From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 2A8MB6dvvV/hDAAA0tVLHw (envelope-from ) for ; Tue, 24 Nov 2020 20:40:07 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id mBD1AqdvvV+FLQAAB5/wlQ (envelope-from ) for ; Tue, 24 Nov 2020 20:40:07 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 94E30940222 for ; Tue, 24 Nov 2020 20:40:06 +0000 (UTC) Received: from localhost ([::1]:59466 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khf6Z-0004h4-Tx for larch@yhetil.org; Tue, 24 Nov 2020 15:40:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:37692) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khf62-0004gq-Fe for emacs-orgmode@gnu.org; Tue, 24 Nov 2020 15:39:31 -0500 Received: from mail-pg1-x531.google.com ([2607:f8b0:4864:20::531]:44719) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1khf5z-0006vs-4h for emacs-orgmode@gnu.org; Tue, 24 Nov 2020 15:39:30 -0500 Received: by mail-pg1-x531.google.com with SMTP id t3so216928pgi.11 for ; Tue, 24 Nov 2020 12:39:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:subject:in-reply-to:message-id:date :mime-version:content-transfer-encoding; bh=1uNeRkLL6NE79qY0lOajfuOiq+rXB5uxBTCgd3qPRhM=; b=ifk3x+2tSCZFbAylzKdd134g4f2loURetIGov1e2U2MrXmIlCTCdWovvt00DORjEY/ Z+eTIvl+gL8/RwMljoFUDUIT8kJpNInorD93tujGLN7xWHAfScoYM75JkKBxUzxkULb2 yBmISVf49M6HbqDUFvwbzQqm8TVVj4bcJa0pYRbffqAvpQfy01aowngbYpvfNCpMqluj /iyeViBrFnJ+carHe6u2d/IeU+Z20VvfHCrSCYOe5F+5juPc+md4/t6oFqmQLYzPpwaI +B2TnjqB2ImbD0+Wafc/JcxQlsPzNTIGNgW04flway6GGhYbsXbeLfvt2gHIQFK6S7Pt xo6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:subject :in-reply-to:message-id:date:mime-version:content-transfer-encoding; bh=1uNeRkLL6NE79qY0lOajfuOiq+rXB5uxBTCgd3qPRhM=; b=ViI+TkftVKJvreiFzCNl7cmFBY9Qvj8cmyxgxSyUk9MS1yLdpoWvYhG1CnZ9W6ddei uogkEHzSvAC3Y1JROyFrOY8Ve5GUZa5C1yfQJSk13MFopkftX8fMDvV53rZqxnuubbDe tJCFo1fI2Vgf4Q5lYLMVf1OI3BnZvlRzOETeefNA3k+kaeomhkHCZ3iY35+jsQhS5vY8 xSj7gZWlIVBnQPPr76cMrFOeaE98xCm0K+av/VUkTOcPW5IzPbZOfFiUgN8boMgw4rvl uhvmvDYb/22KRstkVKhsaiFXOQzdNtib+VayjzMCuZKTfzKcLJShfCvm38wJvfKfYQEW kqUA== X-Gm-Message-State: AOAM530e6MItnuWXi5Nx7H479OQi1SneBNuzixubMliI+OnDSNSKWljk PSxG4ji8zpxB3/ZMg7/gdv3MqroALR8sKQ== X-Google-Smtp-Source: ABdhPJwflwP0hq6wsVlDXUVvhIuqsEZM/rJOvR56895XCLP1C2USWu9/nOGvjH4PtC5wVuUQyDFm8Q== X-Received: by 2002:a17:90a:e00d:: with SMTP id u13mr29284pjy.56.1606250364914; Tue, 24 Nov 2020 12:39:24 -0800 (PST) Received: from tim-desktop (220-235-2-238.dyn.iinet.net.au. [220.235.2.238]) by smtp.gmail.com with ESMTPSA id x10sm82774pga.70.2020.11.24.12.39.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Nov 2020 12:39:24 -0800 (PST) References: <87mtz84om9.fsf@localhost> <87ft4zhyuo.fsf@disroot.org> <877dqbhtgf.fsf@ucl.ac.uk> <87zh36d1xn.fsf@web.de> User-agent: mu4e 1.5.7; emacs 27.1.50 From: Tim Cross To: emacs-orgmode@gnu.org Subject: Re: One vs many directories In-reply-to: Message-ID: <875z5uxzev.fsf@gmail.com> Date: Wed, 25 Nov 2020 07:39:20 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::531; envelope-from=theophilusx@gmail.com; helo=mail-pg1-x531.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=ifk3x+2t; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -1.71 X-TUID: OcxSjXtpKBHS Tom Gillespie writes: >> > That is security issue. >> >> Why is it a security issue? The variables do need to be close to the end >> =E2=80=94 3000 characters is only about 50 lines. > > It isn't a security issue by itself. Emacs never automatically runs > eval file local variables unless you have tampered with > enable-local-eval, in which case the tamperin is the security issue > not the existence of the local variables list. > > Thus it is only a security issue if you permanently accept that eval > file local variable and then open random org files that use it with a > malicious startup block. An eval file local variable like that which > blindly executes an org babel block should never be permanently > accepted > Quite right Tom. If people are really concerned about security, they should look first at their use of repositories like MELPA. There is no formal review or analysis of packages in these repositories, yet people will happily select some package and install it. -- Tim Cross