Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I use Emacs at work, where unapproved external packages are prohibited. If Python mode were pushed out to a repo, I would basically be forced to use another editor.

Another example might be using Emacs on a device without network access.

If we relax "can't" to include "won't", then there are casual users who might want to try Emacs but can't be bothered to set up package archives, etc. Such a user will start it up, say "What, no Python mode?", and switch to something else.



Having never worked at a company like that I'm curious how it works. Is it

- No http/https connections

- No write access to home directory

- Internal prohibition against downloading/using something which is a "software package"

?


Internal prohibition. Using Emacs at all requires approval. The "product owner" is not an Emacs user, so building a custom distribution to include, say, Magit, is out of the question. I am stuck using commandline Git :(


> so building a custom distribution to include, say, Magit,

I mean, you don't need to really "build" anything, you just need to install the package:

  (add-to-list 'package-archives '("melpa" . "http://melpa.org/packages/") t)
  (package-initialize)

  M-x package-refresh-contents
  M-x package-install magit
What would happen if you did that?


this sounds a bit crazy.


It is unfortunately common.

Any organization with high-value data has a responsibility to try not to be the next Equifax.

Programmers, sysadmins, and DB admins are excellent targets for attackers.

So, it's not actually so crazy to require that all tools be vetted by internal security teams, especially third-party extensions for Turing machines like Emacs.

I love Emacs but its architecture is a nightmare for Blue Team, and the easiest stance is definitely "no installing packages", or just "thou shalt use this IDE and no other".


I get that, but the right approach to securing high value data is to secure the data, not try and control every aspect of the environment it lives within; that's often more security theater. Note I'm not suggesting that the right approach is "wild west", rather that any vetting process that doesn't allow for well established and widely used tools to be adopted is probably too rigid.


I didn't say the "right" stance was to ban extensions, just the "easiest".

Since humans default to lazy, I thought that clearly explained why the phenomenon happens.

Perhaps I should have been clearer that I don't think it's the ideal approach, even if I understand where it comes from.


In my experience of US corporate culture it's also unfortunately common for employees at all levels to kowtow unnecessarily to "legal" without considering whether what "legal" are saying is sensible or not.


Is there a powerful resistance to approving elisp packages that aren't default? Could you lay the groundwork with whoever maintains the list of approved packages by asking about approving certain versions of emacs packages that you use, and make your current setup much richer at the same time (e.g. by adding lsp-mode, ms-lsp, flycheck and whatever else you may be doing without now).


What is really an "external package" in emacs?

There should be nothing stopping someone just copying and pasting an entire elisp source text from a website into scratch, evaluate the buffer on the spot, and have the exact same functionality as installing the package would.

I'm not saying that retrieving an external package isn't easier, but due to emacs' nature there isn't really sort of delineation based on how the elisp got into the emacs.


It's more complicated than that: Emacs packages should be thought of the same as any other language's packages. They might comprise multiple files, and it's possible that their performance will be noticeably compromised if they are not byte-compiled. Installing Emacs packages should be done with the package manager.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: