bug#57878: Minimal reproducible setup

[Liliana Marie Prikler]

Am Donnerstag, dem 13.10.2022 um 12:31 +0300 schrieb Max Brieiev:
> > I think this reasoning really falls flat in presence of any non-
> > Emacs package manager.  Like, obviously wanting to natively compile
> > packages managed by (dpkg, rpm, pacman, emerge, guix), but not
> > natively compiling a random elisp script you just downloaded from
> > the web is a legitimate use case.
> 
> If security is a concern, you should not load random Elisp in the
> first place. It is much easier to just directly run harmful elisp,
> then to exploit native compiler, which stays silent until after you
> evaluate some (possibly harmful) elisp.
The nature of compiled code being compiled makes it much easier to
exploit, however.  Assume you have a genuine dash.el, but a malicious
person delivers you a dash.eln with some backdoor.  Unless you know how
to read x86 assembly, you won't debug the latter, whereas you could
reasonably find the former if you're an Elisp hacker.

This is typically not a concern for Guix, where the challenge mechanism
provides tools to highlight that something is going wrong, but it might
be a concern for traditional distros.  Then again, the same applies to
bytecode too, and here as well the solution is to typically use a
trusted package manager.

Cheers