Towards Trust in Emacs

Emacs has long been a favorite among developers for its extensibility, but its security model lagged until version 30 introduced an explicit trust system. By treating every file as untrusted out of the box, the editor mitigated risks such as the CVE‑2024‑53920 arbitrary‑code‑execution flaw. However, the blunt default forced users to constantly re‑enable essential features like elisp‑flymake, creating a usability bottleneck that many chose to bypass by disabling trust checks altogether. This tension between protection and friction highlighted a need for a more nuanced solution.

Enter trust‑manager, a lightweight package available on MELPA that automates trust decisions without compromising safety. When a project is opened for the first time, the mode prompts the user to trust the entire directory, storing the choice in a persistent alist. Trusted locations—including the user’s init files, early init, custom file, and all load‑path directories—are auto‑approved, so core Emacs Lisp tooling works immediately. A subtle red “?” appears in the mode line of untrusted buffers, offering a one‑click path to grant trust and instantly reactivate disabled features. Customization commands let power users fine‑tune trust at the file or project level, and trust entries are cleared when a project is forgotten, preventing stale permissions.

The broader implication for the open‑source ecosystem is significant. By providing a frictionless trust workflow, trust‑manager encourages wider adoption of Emacs’s security model, reducing the temptation to disable safeguards. This approach aligns with best practices in software security: enforce defaults that protect users while offering clear, low‑overhead mechanisms to override when appropriate. As more developers integrate trust‑manager into their configurations, Emacs can maintain its reputation for flexibility without exposing itself to the same class of vulnerabilities that have plagued earlier releases.