[slime-devel] Re: SLIME security patch

[Luke Gorrie]

mdw at nsict.org (Mark Wooding) writes:

> SLIME is very cool; thanks.
> 
> It's a shame it's not very secure, though.  Below is a patch which
> addresses the two problems I've found:

Thanks Mark! I've applied this. We need to start experimenting with
basic security features and it's handy to have it off by default.

We still have a /tmp file vulnerability though right - I think an
attacker could trick Emacs into connecting to the wrong port?

Erlang's authentication is like this except (a) if the secret file
doesn't exist then it gets created with random contents and (b)
instead of sending the password you send a challenge C and the other
guy proves he knows the password by sending (md5 (concat C secret)).
Keeping the secrets synchronized in that scheme can be a bit boring
though.

Cheers,
Luke