package security auditing and isolation

[Ted Zlatanov]

After watching some discussions among the MELPA maintainers, I wanted to
ask what Emacs itself can do to audit and isolate packages from
modifying the user's system. This is a concern for almost all Emacs
users because any ELPA repository, its sources, and its signing process
can be compromised for at least a short time. I think it's good to
assume this will happen sooner or later, and to proactively defend Emacs
users from it.

I propose two specific pieces of functionality, which I think are
essential to this task:

1) tools for analyzing the source code and finding the function calls
that can be dangerous. This includes eval, calling the shell, etc.

I don't know how feasible this is, but IMHO it would be valuable. At the
very least it could make code reviews easier by focusing on the
potentially problematic sections. I think Emacs' core is the right place
to add such code, not modules or add-on packages.

2) establishing isolation levels in the C core. Simply put, not all
packages need to be able to run shell commands, delete or modify files,
and so on. When the user installs or updates a package, if the needed
access levels change, that should be noted and acknowledged.

Thanks
Ted