Am Donnerstag, dem 13.10.2022 um 12:31 +0300 schrieb Max Brieiev: > > I think this reasoning really falls flat in presence of any non- > > Emacs package manager.  Like, obviously wanting to natively compile > > packages managed by (dpkg, rpm, pacman, emerge, guix), but not > > natively compiling a random elisp script you just downloaded from > > the web is a legitimate use case. > > If security is a concern, you should not load random Elisp in the > first place. It is much easier to just directly run harmful elisp, > then to exploit native compiler, which stays silent until after you > evaluate some (possibly harmful) elisp. The nature of compiled code being compiled makes it much easier to exploit, however. Assume you have a genuine dash.el, but a malicious person delivers you a dash.eln with some backdoor. Unless you know how to read x86 assembly, you won't debug the latter, whereas you could reasonably find the former if you're an Elisp hacker. This is typically not a concern for Guix, where the challenge mechanism provides tools to highlight that something is going wrong, but it might be a concern for traditional distros. Then again, the same applies to bytecode too, and here as well the solution is to typically use a trusted package manager. Cheers