From 5580f89da876cdc9cd47f036834172073ee00b95 Mon Sep 17 00:00:00 2001 From: Glenn Morris Date: Tue, 6 Dec 2011 00:31:42 -0800 Subject: [PATCH] * lisp/emacs-lisp/package.el (package-archives): Doc fix re riskiness. --- lisp/ChangeLog | 4 ++++ lisp/emacs-lisp/package.el | 7 ++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lisp/ChangeLog b/lisp/ChangeLog index c222302cc9d..894a66b2cab 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog @@ -1,3 +1,7 @@ +2011-12-06 Glenn Morris + + * emacs-lisp/package.el (package-archives): Doc fix re riskiness. + 2011-12-06 Chong Yidong * progmodes/cc-fonts.el (c-annotation-face): Use defface. diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el index 8417aa8d380..a1513039a98 100644 --- a/lisp/emacs-lisp/package.el +++ b/lisp/emacs-lisp/package.el @@ -113,6 +113,8 @@ ;;; ToDo: +;; - a trust mechanism, since compiling a package can run arbitrary code. +;; For example, download package signatures and check that they match. ;; - putting info dirs at the start of the info path means ;; users see a weird ordering of categories. OTOH we want to ;; override later entries. maybe emacs needs to enforce @@ -224,7 +226,10 @@ Each element has the form (ID . LOCATION). LOCATION specifies the base location for the archive. If it starts with \"http:\", it is treated as a HTTP URL; otherwise it should be an absolute directory name. - (Other types of URL are currently not supported.)" + (Other types of URL are currently not supported.) + +Only add locations that you trust, since fetching and installing +a package can run arbitrary code." :type '(alist :key-type (string :tag "Archive name") :value-type (string :tag "URL or directory name")) :risky t -- 2.39.2