OpenOffice.org security concerns
Posted Jun 14, 2007 3:31 UTC (Thu) by jordanb
In reply to: OpenOffice.org security concerns
Parent article: OpenOffice.org security concerns
Emacs macros were a poor decision made at a time when security was more of a geek's curiosity than a million dollar matter like it is today. And the fix for them is inadequate I think. Quite honestly, I think they should not be included at all. If you want something evaluated you should do it yourself, either with a (load-file) somewhere or by executing it interactively (C-x C-e, etc).
Microsoft Office's macro decision was still made before the Internet so they have some excuse, but their "fix" was even worse than that of emacs. They didn't reduce the ability of the macros to do damage at all, they just put up that stupid warning, and because that warning gets triggered even when the macros are clearly harmless (they don't access anything outside the local file), MS Office users grow immune to them and just instinctively click through.
Given the experience that Microsoft has had, OO.org's inclusion of macros with the exact same deficiencies is downright negligent.
I agree with the OP, macros should be restricted to a clearly-defined sandbox if they're used at all. The Emacs "solution" is especially bad in the case of a office suite because showing a macro to a secretary and asking her to decide if it's dangerous or not is like asking her if there's a dirty word in a randomly selected passage written in ancient greek.
to post comments)