Long time Emacs Lisp coder here. Here is a summary of the vulnerability described in the OP:
Anyone wishing to inspect an untrusted file of Emacs Lisp code is likely to use Emacs to do the inspecting, but if either of the popular packages Flymake and Flycheck is enabled, merely opening the untrusted file gives the author of the file the ability to run arbitrary code (because macros are tricky). Even if an Emacs user avoids Flymake and Flycheck, the standard emacs facility for "completing" the names of functions and variables has the same basic vulnerability. Specifically, if the user uses Emacs to open the file, then types the start of the name of a function or variable, then types M-tab (i.e., presses the escape key, then presses the tab key) which attempts to fill in the rest of the name so that user does not have to manually type out the whole name, the arbitrary code is run.
It is clear to me (who was never tempted to use Flymake or Flycheck) what remediation I want: namely I want this "M-tab" functionality (which I have been using and probably most Emacs users have been using) to refrain completely from expanding any macros even though doing so will prevent it from finding out the names of some of the functions and variables I might be trying to insert with the result that sometimes I will have to type out the full name of the function or variable, without assistance.
>AFAICT the earliest public discussion about the security implications of Emacs Lisp macros started in August 2018, when Wilfred Hughes noted that code completion can lead to arbitrary code execution via macro-expansion.
The fact that the maintainers have yet to fix this is one more sign added to a list of 5 or 6 other signs that make me want to migrate away from Emacs.
Giving the maintainers the benefit of the doubt, I think the optimal solution solution would require a lot of thought and work. While I have no doubt that Elisp is an environment especially ripe for these kinds of exploits, it's by no means unique to Emacs. Just look at VSCode's solution to this problem: https://code.visualstudio.com/docs/editor/workspace-trust .
I strongly prefer vscode's solution to the current state of affairs in Emacs.
I have no doubt that VSCode has a much less risk of executing code by opening something. Ironically however, it seems that VSCode's extension is the most effective channel to distribute malware in the history of code editors. [1] [2]
Not that MELPA couldn't be used to distribute malware either, I just think, as another poster mentioned, these problems are almost more social than technical.
[1] https://www.bleepingcomputer.com/news/security/malicious-vsc... [2] https://arxiv.org/html/2411.07479v1
If anything, Emacs users are probably much more likely to inspect the code of whatever extension they are using, since with every help page there is a link to the source code. It helps that it's much less popular and so not as big of a target.
Emacs is just too old to be architected with security in mind. It's a great editor, but has baggage that IMHO can't be addressed on the spot.
Working on a codebase where you can't (heavily?) break things between any commit imposes such a slow pace that it's not completely unreasonable to start from the ground up and just study what made Emacs great and what didn't work too well.
It's surprising how long Emacs has been around and how good of an editor it is. It really makes rewrite attempts such a long stretch that it exhausts the motivation and time out of spirited folks that give it a go, but I think that given how complexity is being modularised and moved out (LSP, DAP, grammars) and newer languages make packaging easier that Emacs will eventually be replaced, definitely without covering everything it can do, but being strong at the average editing session.
Depending on what you consider Emacs to be, it is either unlikely to be replaced, has already been replaced, or the concept makes no sense.
Emacs is an interactive Lisp environment that just so happens to have everything you need for a programmable text editor. Text editors are a dime a dozen, and Emacs is far from the only programmable one (although I'm not aware of any with the degree of programmability that Emacs offers). You can find alternatives for pretty much all of Emacs' functions, but you'll have a hard time finding it all in one place.
People have been talking about replacing Emacs itself with another interactive Lisp platform for decades (generally based on Scheme or Common Lisp), but it hasn't happened. I doubt it will. As cool an idea as Lem or Climacs or whatever are, they haven't attracted the user and developer base needed to even begin to approach Emacs' level.
And by and large, Emacs users don't care. We're a small enough group these days that no one is likely to target us with serious malware. We blindly trust Elpa and Melpa and the people who commit code there, and so far it hasn't been a problem. Complacent? Certainly, but that's human nature.
That's my opinion as well. I run Emacs 24/7 but I do so inside Firejail, with no network access. It's not architected with security in mind and exploits are too easy.
The same can be said about the Linux userland. The Unix model of giving plenty of access to resources and any user file to user processes is outdated.
I find it frustrating something like Firejail or bwrap is not standard. I don't want a compromised program to have easy access to e.g. my SSH keys.
>I run Emacs 24/7 but I do so inside Firejail
Can you share your Firejail config?
>Emacs is just too old to be architected with security in mind.
Bad security is endemic to all GNU projects. gnutls and gnupg come readily to mind, for example. In fact there was an article/blog post making the rounds a few years ago about how the letters "GNU" are an excellent heuristic for broken security models and fatally-flawed crypto.
What about GnuTLS and GnuPG do you think makes them insecure? I think that they offer something unique and that must be factored in; i.e. if you compare them to competitors, you can't compare apples to oranges when making judgments for them. In mind I have projects like Open/Bear/Boring SSL to compare GnuTLS with, and sequoia for gpg. I really like sequoia, but it offers a different product to gnupg.
Emacs is a mosaic of 50 years of computer history, security is not its priority, but I guarantee you that in bug-gnu-emacs any security/network-related patches are most welcome.
Well, how about the fact that gnutls allowed passive cleartext recovery attacks to go unpatched for about 2 years?
How about the fact that GnuPG is predicated upon the web of trust which has been demonstrated not to work, encourages misuse in the form of long-lived identities which discourages key rotation, has no ratchets nor forward secrecy, has multiple internal key parsers, and a littany of vulnerabilities involving authentication and downgrade attacks?
GNU is just organizationally incapable of producing secure code. These tools are not good tools. GnuPG in particular offers absolutely nothing that another single-purpose tool doesn't do better, but for some reason people get emotional and mount all kinds of irrational defenses of it. GPG is not good. It is broken at a fundamental level.
>Well, how about the fact that gnutls allowed passive cleartext recovery attacks to go unpatched for about 2 years?
They patched it when they became aware of it in <https://gitlab.com/gnutls/gnutls/-/issues/1011>, it was not "allowed" to go unpatched.
>How about the fact that GnuPG is predicated upon the web of trust
No it is not, the web of trust is one mode of operation out of infinitely many that you can come up with, it's not forced upon the user. It was evangelized for a long time until the keyservers got DOSed. In retrospect obvious, but also gnupg is more-or-less an "activist" project -- big corps and govs are against encryption for the masses by and large. Had it had institutional backing from the beginning (which it never got) it'd have a much more robust model for users to work with.
>encourages misuse in the form of long-lived identities which discourages key rotation
You can automate key rotation with gpg. The long-lived identity argument can be seen as a strength too, short-lived isn't always better.
>a littany of vulnerabilities involving authentication and downgrade attacks?
I'm not aware of these; do you mean that GnuPG is not secure by default in its algorithm list? It chooses compatibility over security, but you're free to change the configuration. I think it's too harsh to say that GnuPG is inadequate because of that.
>GNU is just organizationally incapable of producing secure code.
I don't see why that'd be true, anyone can contribute to GNU so there is nothing inherent about GNU that makes its projects insecure.
>GPG is not good. It is broken at a fundamental level.
Works for me! I use it to sign my git commits and tarball releases, and with gpg-agent I get to authenticate to SSH servers.
>Works for me!
Hey, so long as you're cognizant of the fact that everyone credible thinks GPG is at best a security LARP, do what you feel is best.
What better options are there, if you're aware of these weaknesses i'm sure you're aware of better options.
More in keeping with the Unix philosophy of doing one thing and doing it well (GnuPG in particular does a mediocre job of many things), the best move is to replace it with a suite of single purpose tools.
For example, signing commits with minisign or signify.
>For example, signing commits with minisign or signify.
These tools don't work well with git or the git forges, and they do not work at all with fossil. (Obviously signify is a good choice if you're using OpenBSD.) Furthermore they lock you in entirely in their choice of algorithm, Ed25519, which may not be what you want (Why not Ed448?)
As far as adoption goes, and adoption is hard to get going, GnuPG is what is used in Linux the most...
"Github supports GnuPG signatures" does not contradict the statement "GnuPG is trash". I will not engage further, it's obvious you are not interested in honest discussion of the technical merits.
The issue is mostly with git itself, e.g. take a look at
git cat-file commit HEAD
tree <tree-hash>
parent <parent-hash>
author <author-name> <author-email> <timestamp>
committer <committer-name> <committer-email> <timestamp>
gpgsig -----BEGIN PGP SIGNATURE-----
<ascii-armored RFC9580 signature>
-----END PGP SIGNATURE-----
<commit message>
You can add a patch to git to support more signature types than just OpenPGP. You may then be able to move mountains and get GitHub/others to join in the validation. Finally, if you can find bugs/exploits in GnuPG, you should report them and you will definitely get credit and recognition for them. They are not trivial to find.
I have heard it said that a problem with GPG is that it does encryption AND signing when you'd ideally have separate tools for those tasks, like, for example, age for encryption.
> 5 or 6 other signs that make me want to migrate away from Emacs.
Sure, Emacs is not without deficiencies. But what are the alternatives? Name one option that can do things in the way that Emacs allows you to? Don't say 'Vim' - as a die-hard vimmer who uses both daily, I can confidently tell you - it may take decades until Vim becomes sufficiently good to replace Emacs for me. And if you say 'VSCode', I'd simply laugh coughing up org-mode structured headings.
sure, if you're looking for something that can perfectly replicate what Emacs does, then you'll never find an alternative... Every alternative has obvious shortcomings, at least on first glance, that you have to get used to.
I have never used Emacs (other than briefly starting it up in the 90s, waiting 5 minutes for it to load on my old 386, just to be completely overwhelmed and closing it again) but I have used other tools that I replaced (sometimes multiple times) over the years. And it has never been "smooth". The first few days are full of compromises until you get into a mode of working "with" the new software instead of "against" it. Then it usually begins to make sense and after a week or two you've in business
Okay, but you know what? During my career as a software developer, I have wasted over a decade "getting used to" things being shitty, passively accepting mediocrity and suboptimal solutions.
Learning Emacs (and Vim too) finally made me realize that I was doing things wrong - I needed to be in charge. As a computer programmer, I should be commanding software, not being constrained by it.
Emacs has granted me that power by acting like glue. I don't turn away from useful software; I do use it. I just do it through Emacs, not instead. With Emacs, I make my own rules and I dictate what makes sense.
Most recent practical example? I just joined a team that uses Jira. Lots of people hate Jira (and for good reasons), in my case, I have no choice. So, instead of complaining how cumbersome and stupid Jira is, I decided to use it from Emacs. But instead of wasting time building a "native" extension, I just delegated things to go-jira - a command line client. Now, I can basically type 'FOO-31415' and Emacs automatically, contextually recognizes it as the 'jira ticket number', despite it being plain text. From that point I can retrieve its summary, turn it into a markdown link, browse the ticket, change its fields and status, etc. While anyone else have to waste their time opening Jira in the browser, I can perfectly do things without losing my focus, directly from my editor. That's working "with" software instead of letting software to fight "against" you.
Been using Emacs for 15 years, and I think you've perfectly captured the spirit of what makes Emacs so compelling in spite of the crazy time investment needed to make it your own. I have never used another piece of software that not only allows you to customize it so deeply but makes you feel like you're the one in control.
Hyping vaporware is not software development.
Judging by your profile comments, it looks like you have little clue what any of these words mean, especially the last one, which could be due to your emotionally underdeveloped brain. Before you start spitting your snacks at the screen in rage, let me explain - comments like yours often suggest someone experiencing difficulties with emotional regulation, empathy, and interpersonal relationships. I don't know the source of your irrational anger, but you may want to find someone to talk about it. Modern therapy can drastically change people's lives for the better.
I'm a lot less worried about this than I am about MELPA packages being targeted. But any other editor that incorporates a package manager exposes the same threat surface, and just about all of them are a lot more popular (thus more worth targeting) than Emacs.
Yes, it boils down to "be careful with untrusted code" no matter where it comes from. This is certainly not unique to emacs.
I'm starting to get "return to notepad++" vibes from HN today.
Well I use mostly stock emacs. If that's already owned, then I guess I'm screwed. I'm very selective about adding additional packages or using other "uninspected" elisp code.
It looks like adding a defcustom that would disable macro expansion, and basically any attempts to eval the code being edited, should not be a lot of work, or at least doable. Disable it in your config, get a nerfed-down but shields-up elisp editing mode.
Am I missing anything here? E.g. should I expect pieces of C code that handle completion in elisp mode?
> It looks like adding a defcustom that would disable macro expansion, and basically any attempts to eval the code being edited
Probably, yes. „org-babel“ can execute shell code inside an org document but always asks the user before it does. You can disable this if you want to. No big deal. Should totally work like this in elisp-mode, too.
Would you mind explaining how you could do this?
I expect that the entire mode is implemented in elisp-mode.el. It's based on lisp-data-mode, but I don't expect that to handle macros (should check though).
Looking at elisp-completion-at-point and likely deeper into elisp--completion-local-symbols, I'd try to find where macroxpansion occurs, and make it conditional. Same for the explicit emacs-lisp-macroexpand.
I would also search for `(eval ` in general and maybe put it under a buffer-local flag, too, so that you won't press C-x C-e or C-M-x and execute malicious code by mistake, when you know you're working on a piece of malicious code.
Maybe instead of a defcustom, it should rather be a minor elisp-paranoid-mode which would do all kinds of things to prevent execution of the code in the buffer, or the code the buffer refers to, etc.
Doesn’t vim also have some ability, easily abused, to put a script at the top of a file, and it’ll just run when you open the thing?
This seems like a really useful functionality to have in the context where you actually do trust the files, but it is wildly insecure and an unexpected trapdoor, to have simple files executing things when you open them with a simple text editor…
Emacs has that, too. There are protections in that case, though. See: https://www.gnu.org/software/emacs/manual/html_node/emacs/Sa...
Probably going to add similar protections here? Basically, I'd assume if it is your first time visiting a file, macros won't be expanded during autocompletion.
I dunno. I can see why this functionality might be useful, but I kinda think distros should disable it by default/make it whitelist-only.
I think the implications are really unexpected for “new” users (where “new” could be pretty generously defined, I mean, I know a couple people who use vim IRL, I think they would not expect this… it is the sort of thing you know about if you are somebody who goes online to talk about text editors I think). And these are also the sort of users who are used to seeing shebangs and other line noise at the top of files, not understanding it, and ignoring it.
I think we’re only being protected by the fact that spreading a virus though command-line text editors is… going to result in not a ton of hits.
I'm confused. Per the doc, it is disabled by default? Specifically, the first time it is encountered on a file, it will ask the user if they want to allow it. And they flat out don't ever do things like "eval" during these values.
That's a different potential vulnerability. I knew about that one (and had disabled the running of such scripts). I didn't know about this one till today.
Helping me finish typing the name of a function or variable ("completion") is not the sort of thing I expected (till today) the maintainers of Emacs to be so eager to do that they'd start running code that I never asked to be run.
A common pitfall of IDE integration for dynamic languages is that it tends to execute the code under test to provide contextual completion or may decide to run doctests, etc. This has been/is a problem with editing Ruby code, and perhaps Python code and more too too. I'm unsure if this is a problem editing vimscript or lua with NeoVim with the only non-evidence is that I haven't heard of it.
Good call to prevent macro expansion. Does also no big harm nowadays as there are several other ways to get good auto completion, e.g. copilot. Other than that no need to restrict functionality for power users.
The Church of Vim is always accepting new disciples.
Jokes aside, if you're considering Vi-like editors (and assuming you haven't already done your research -- which by the sounds of it, you may well have):
- I recommend going for Neovim over classic Vim at this point. The first-class Lua support for building out your configs and working with extensions is a big quality-of-life improvement over just VimL, and it's a more portable skill with fewer surprises. As a bonus, this gives you access to a world of shockingly high-quality extensions that require Lua to run.
- If you want a decent starting point before you start tweaking a ton of settings, Spacevim is it. I haven't used it extensively but I've only heard good things.
- I recommend against trying to use Emacs bindings in Vim if you can help it. I used these when I initially moved over (at this point about a decade ago) and they were clunkier than both Emacs's bindings and Vim's native bindings. Learning how to work with Vim's modes is an investment that pays off as quickly as a few days with intense use, or a few weeks with more casual use.
- `vim-arpeggio` (or the native chording support in newer versions of Neovim) is your friend for avoiding `<Esc>`-induced repetitive-strain injury.
Oh, you think people choose Emacs instead of Vim because of keybindings?
Then tell me please, how often do you do your research in Vim, using LaTeX embeddings while taking annotations to a pdf that's rendered in the adjacent window?
How often do you take notes, while watching a YouTube video while controlling the playback, speed and volume from your editor? I can watch the video, while following the transcript karaoke-style, pause, speed-up, mute the video whenever I want (so I can start typing), I can grab the pieces of transcript and ask an LLM to give me explanations, etc.
Do you read RSS in Vim? Are any RSS readers as well-integrated and feature-rich as elfeed.el in Emacs? I honestly doubt it. And it's not a matter of skepticism over the quality of Vim extensions. Emacs has far fewer active users and even fewer of those who build things in Elisp, yet it remains the most integratable thing ever. The thing is - unlike VSCode, Vim, Sublime, and IntelliJ - Emacs allows you to change any given behavior of any function - built-in or third-party - with such great granularity that is simply not possible anywhere else.
What about email? Is there anything close to the level of notmuch, mu4e or gnus? I seriously doubt any vim plugins provide the same level of integration.
Do you manage your Jira (or whatever project management) you do from Vim?
Do you control your browser from Vim? I do it from Emacs and it's very cool.
Can you perform a dynamic search on YouTube, Google, DuckDuckGo, Wikipedia, your browser history and other places while typing the query only once? I do that all the time in Emacs.
So, Emacs is not about keybindings. Because you can change them in a way that no other editor lets you do. In Emacs you can use whatever modal or non-modal editing flavor you want, but that's beyond the point.
As a schismatic from the Church of Vim, I’m compelled to recommend kakoune here. Unless you’re running in a peculiar legacy platform like Windows or Amiga, the selection oriented editing and smooth Unix integration are a delight.
I've considered it from time to time. The conclusion I keep drawing is that, if I were going to benefit from a selection-oriented editing paradigm, I would use Visual mode more than I do.
The multi-cursors, those I want. But I'm willing to wait for Neovim to get them.
That’s entirely reasonable; I switched in part because I was using visual mode so much. That being said, if you want a more vi-like experience in kakoune, you can always pipe your whole buffer through sed :)
As another fan of Kakoune's model of editing (or model of modal editing), I would recommend Helix. It's a low-config tool that lets you start working without turning many knobs. Supports tree-sitter grammars and language server protocol.
I haven't heard of either Kakoune or Helix, but I'm buried pretty deep in my own opinionated config.
As far as I'm concerned, the more readymade options, the better. Thanks to you and sevensor for adding recommendations!
> I recommend against trying to use Emacs bindings in Vim if you can help it
This is fine, I think. Using C-w is more convenient than <Esc>diw. I also find C-a and C-e quite convenient, although you need plugins for these (tpope's vim-rsi is good).
I might be worth starting without them, though, so they learn not to rely on them too much.
That being said, I use home-row mods, which makes Control a lot easier to use than regular keyboards.
Spacevim? Emacs bindings in vim? Heresy!
Spacemacs defaults to vim bindings and it's easily my favorite editor, while saving you from (some of) the endless config tweaking.
Are you saying there can’t be security vulnerabilities in Neovim? [rhetorical question]
As I understand it, the vulnerability is that viewing untrusted elisp code may lead to arbitrary code execution. Personally, I don’t remember a case where I would view elisp code without the intent of running it.