Towards trust in Emacs

The one problem I have with the trusted files thing is that I have no way to trust non-file-visiting buffers. Why is *scratch* untrusted!? *scratch* should always be trusted, without me having to configure anything, ideally. Though a setting to automatically trust non-file-visiting buffers would be nice. I just ended up stopping using the scratch buffer because of that issue.

The trust model of Emacs makes no sense. It's overly conservative, hurts the development experience, encourages blanket permission granting, and worst of all, sins against logic and lisp themselves.

Macro expansion is data transformation. Form in, form out. Most macros are pure functions of their inputs. Even the ones that aren't seldom have effects that would allow exploitation. That's because a well-written macro does not have side-effects during expansion time, but instead generates code that when itself evaluated, has the desired effect.

The idea is that expanding an untrusted macro can be dangerous. This much is true. But the risky occurs only when both the macro and its expansion are untrusted. The vast majority of macros do not transform code in dangerous ways. It is perfectly safe to use these macros to expand untrusted forms to make flymake, find-function, and other features work correctly. To blanket-prohibit expansion even by macros doing obviously safe transformations is to misunderstand the issue.

At a minimum, it must be possible to define a macro and mark it safe for expanding untrusted code. Beyond that, it would be safe to run the macro-expander itself in an environment without access to mutating global operations. Since almost all macros are intrinsically safe to expand, we'd have far fewer situations in which people had subpar development experiences from overly conservative security mitigations.

In addition, after I've eval-buffered a file, that file (at least until reverted from disk) should be safe. I mean, if it were malicous, its malice would have manifested at the time it ran code as it was evaluated.

It's getting so very old - all I want out of a process is code autocomplete, but I have to grant it read & write permission to my entire disk and network. When do we get good permissions and sandboxing and isolation? This can't go on.