Hacker News new | comments | show | ask | jobs | submit login

I disagree that you can handwave around public editing of executable code that is by convention copied and pasted to hundreds of machines by invoking "WikiNature".

I agree that unsecured editing of code is a problem, and I did not mean to imply otherwise. I recommend reading "On Trusting Trust" if you're interested in such issues.

There are already other mechanisms in place to distribute Emacs code, like any of the Emacs package managers and Git, and yet EmacsWiki continues to be a place where code is collected and discussed.

I don't think moving to another wiki system would change that, since any other wiki system would have the same shortcomings as OddMuse in this respect. There is a straight trade-off between maintaining security on wiki pages and their utility. OddMuse does a good job, like all wikis, of keeping a page history that allows all edits to be audited. A new wiki might prevent editing of the code, or only allow editing by "verified" users, but that still provides no real improvement to security, since anyone can sign up and post code. Neither, incidentally, does a Git repository like GitHub or Gitorious; if you're unwilling to read and understand the code you download, you still have to put your faith in folks you don't know. Even if you do read and understand the code, you still can't be sure.

More importantly, however, is your implied assertion that security is a problem in practice. Have there been any cases where malicious code was posted on EmacsWiki? Did it cause harm?

I'm getting the feeling like "publicly editable code" is a manufactured issue to be divisive, but I could just be unaware of a security problem that has been pervading the Emacs community.


I have no idea why 5 paragraphs of message board comment is supposed to get me to ignore the fact that anyone on the Internet could backdoor my Emacs by editing a wiki page.

He's right; community code is a model that works on Github and absolutely does not work on an unauthenticated Wiki.


Well, there goes my relaxing afternoon. ;)

At least I'm pretty sure I don't have many emacs packages that originally came from a file on Emacswiki...


I looked too. Crazy that it took a Batsov post to get me to realize how dumb that system is.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact