[Emacs-diffs] master 61223a0 1/2: Update FAQ section on Emacs security (Bug#37818)

[Stefan Kangas]

branch: master
commit 61223a046c37d44f67e6600909439d32f8dd34f9
Author: Stefan Kangas <address@hidden>
Commit: Stefan Kangas <address@hidden>

    Update FAQ section on Emacs security (Bug#37818)
    
    * doc/misc/efaq.texi (Security risks with Emacs): Remove section on
    movemail.  Add section on third-party packages.
---
 doc/misc/efaq.texi | 23 ++++++-----------------
 1 file changed, 6 insertions(+), 17 deletions(-)

diff --git a/doc/misc/efaq.texi b/doc/misc/efaq.texi
index b45db4c..0b7b6d9 100644
--- a/doc/misc/efaq.texi
+++ b/doc/misc/efaq.texi
@@ -3207,23 +3207,12 @@ You can tell Emacs the shell's current directory with 
the command
 @itemize @bullet
 
 @item
-The @file{movemail} incident.  (No, this is not a risk.)
-
-In his book @cite{The Cuckoo's Egg}, Cliff Stoll describes this in
-chapter 4.  The site at LBL had installed the @file{/etc/movemail}
-program setuid root.  (As of version 19, @file{movemail} is in your
-architecture-specific directory; type @kbd{C-h v exec-directory
-@key{RET}} to see what it is.)  Since @code{movemail} had not been
-designed for this situation, a security hole was created and users could
-get root privileges.
-
-@code{movemail} has since been changed so that this security hole will
-not exist, even if it is installed setuid root.  However,
-@code{movemail} no longer needs to be installed setuid root, which
-should eliminate this particular risk.
-
-We have heard unverified reports that the 1988 Internet worm took
-advantage of this configuration problem.
+Third party packages.
+
+Any package you install into Emacs can run arbtitrary code with the
+same privileges as the Emacs process itself.  Be aware of this when
+you use the package system (e.g. @code{M-x list-packages}) with third
+party archives.  Use only third parties that you can trust!
 
 @item
 The @code{file-local-variable} feature.  (Yes, a risk, but easy to