[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ELPA package submission: buffer-env
From: |
Augusto Stoffel |
Subject: |
Re: ELPA package submission: buffer-env |
Date: |
Mon, 28 Feb 2022 20:54:17 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.91 (gnu/linux) |
On Mon, 28 Feb 2022 at 14:40, Stefan Monnier <monnier@iro.umontreal.ca> wrote:
> The default value for `buffer-env-command` is a gaping security hole, tho.
> Any hope we can make this a bit less dangerous?
I think it's already made sufficiently tame: before running any given
version of an .envrc script, you have to explicitly say yes. Then a
hash of the script contents is saved in a custom variable, so the second
time you run the same script you don't need to confirm.
I copied that idea from the direnv program, so I want to believe that
any security holes should be due to bad implementation rather than a bad
concept.