From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yAXUEgvkvV8oTQAA0tVLHw (envelope-from ) for ; Wed, 25 Nov 2020 04:56:43 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id VV6lDgvkvV+CAwAAB5/wlQ (envelope-from ) for ; Wed, 25 Nov 2020 04:56:43 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 933A294021E for ; Wed, 25 Nov 2020 04:56:42 +0000 (UTC) Received: from localhost ([::1]:36948 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khmrB-0003Ce-0F for larch@yhetil.org; Tue, 24 Nov 2020 23:56:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:45448) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khmqN-0003Bg-1n for emacs-orgmode@gnu.org; Tue, 24 Nov 2020 23:55:51 -0500 Received: from static.rcdrun.com ([95.85.24.50]:41793) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khmqK-0006ZM-WC for emacs-orgmode@gnu.org; Tue, 24 Nov 2020 23:55:50 -0500 Received: from localhost ([::ffff:41.202.241.56]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C1AEC.000000005FBDE3D2.00003006; Wed, 25 Nov 2020 04:55:46 +0000 Date: Wed, 25 Nov 2020 07:54:53 +0300 From: Jean Louis To: Tim Cross Subject: Re: One vs many directories Message-ID: References: <87mtz84om9.fsf@localhost> <87ft4zhyuo.fsf@disroot.org> <877dqbhtgf.fsf@ucl.ac.uk> <87zh36d1xn.fsf@web.de> <875z5uxzev.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <875z5uxzev.fsf@gmail.com> User-Agent: Mutt/2.0 (3d08634) (2020-11-07) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: mFNqY4aVeZ7K * Tim Cross [2020-11-24 23:40]: > > Thus it is only a security issue if you permanently accept that eval > > file local variable and then open random org files that use it with a > > malicious startup block. An eval file local variable like that which > > blindly executes an org babel block should never be permanently > > accepted > > > > Quite right Tom. > > If people are really concerned about security, they should look first at > their use of repositories like MELPA. There is no formal review or > analysis of packages in these repositories, yet people will happily > select some package and install it. That is analogous to enabling local variables because user has been asked. Popping up a window with question is often a dialogue that users are asked in other software. Dialogues are often not read, just as I was not reading it for years and I did click YES many times. Using such variables is unsafe and the default should be not to execute it without any question. Only when user enables local variables then user should be asked to execute it. That would mean that aware user knows why that is needed. Such will be able to answer questions YES or NO. Unaware users must answer something. To be aware one has to know Emacs Lisp and deeper functions of Emacs. In beginning years it was just fine to assume so due to general computing interests and people being interested in every detail, today there are even more users of Emacs who will not know what is going on. I do not know for you, but when computer asks me anything YES or NO, my tendency is to answer YES regardless if I have read it or not. This same tendency may be with thousands of other users. If I have invoked something on computer and I get asked anything, I have tendency to approve whatever comes on me as I approved it by invoking some action. Not that I am doing it every time yet I have the tendency of doing it. Observing users who are asked questions upon invokation of other software I can say that many times users just click one of the options, either YES or NO, but without real regard to the meanings. The purpose to click either YES or NO is to continue one step forward and randomity decides later what happens.