From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: nljlistbox2@gmail.com (N. Jackson) Newsgroups: gmane.emacs.bugs Subject: bug#28597: 26.0.60; [Security] Configure should use --without-pop by default Date: Fri, 29 Sep 2017 12:07:14 -0400 Message-ID: <87ing17akt.fsf@moondust.localdomain> References: <837ewh8x5z.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1506701293 26298 195.159.176.226 (29 Sep 2017 16:08:13 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 29 Sep 2017 16:08:13 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) Cc: John Wiegley , eggert@cs.ucla.edu, 28597@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Sep 29 18:08:08 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxxpf-0006Ts-L6 for geb-bug-gnu-emacs@m.gmane.org; Fri, 29 Sep 2017 18:08:07 +0200 Original-Received: from localhost ([::1]:36014 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxxpm-0003qn-TX for geb-bug-gnu-emacs@m.gmane.org; Fri, 29 Sep 2017 12:08:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:35262) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxxpe-0003qe-5N for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 12:08:10 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxxpa-00011E-4y for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 12:08:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:58994) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dxxpa-00010p-0f for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 12:08:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dxxpZ-0001fh-Li for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 12:08:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: nljlistbox2@gmail.com (N. Jackson) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 29 Sep 2017 16:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28597 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 28597-submit@debbugs.gnu.org id=B28597.15067012446372 (code B ref 28597); Fri, 29 Sep 2017 16:08:01 +0000 Original-Received: (at 28597) by debbugs.gnu.org; 29 Sep 2017 16:07:24 +0000 Original-Received: from localhost ([127.0.0.1]:39442 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxxoy-0001ei-D2 for submit@debbugs.gnu.org; Fri, 29 Sep 2017 12:07:24 -0400 Original-Received: from mail-io0-f176.google.com ([209.85.223.176]:51667) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxxox-0001eW-0p for 28597@debbugs.gnu.org; Fri, 29 Sep 2017 12:07:23 -0400 Original-Received: by mail-io0-f176.google.com with SMTP id l15so211000iol.8 for <28597@debbugs.gnu.org>; Fri, 29 Sep 2017 09:07:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=maVzb6GBCCwln5hMBSSAimyYqyX5wrt17uAj0SZV5EM=; b=Im2iH1wW3t1pFll8qA3ugy7gUntZDdRT2muU+s81t+qboeZhyjDsU4zXgwmtV+7TCS jYb5+X14TcGnDvEd1+LKebzqAfStzllXm02dSNG3Onxk+jM9LECF1Mk7pPtRrCSm8l33 NhKEY5NhiGCbVmFdhaVisZk6boKj21lIe9Nd+IwmSf/i43cbj8UKkVXtUit4ycrMDXwW nVJ3s+wlQBiAUtpsqIoh3XOtOxQ1gVqkAQ3xD5FQ6vRz6PEkY5Nj/VMivfMa1W9yGsi+ X936FzI3L9JUPc8gEGqgVpQpMypUo5t8i2laVbFJAqtQnzQSDbTyCwd2A96KWOxyD8Vl dTnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=maVzb6GBCCwln5hMBSSAimyYqyX5wrt17uAj0SZV5EM=; b=n+K9sAFvf365C2XsTsk1ddf1t2JHuHdoEl/xj6GlfSkCGkgcIoHZGlS/i8AM/U2K0B nzNtbKoRoiXqhVVXIuc+G39j5hWO0ZYW+JQF9E9Tt2yigZwM/aDlFdB28eu6IwNr/ogk BaTDuWET+UOWQuMXpFMVvNMd5vJ+r3Pb3wTsfMR0UEMH0pmELg5VvEnDMeJCAkJQPl+6 Xm3qiTcpSVqFIy+YqhSR3mYsSi78/axjAlhsa0mgfd5Ji8XN/1Nw4D/mSw5Gy1QP7eH2 /zUrLiwVETI1tKPVmfKnPYBu4SQi6ueUohXiMRi2WDfmllNhzf/XJC2MHHCIbEEDtYS/ ElBg== X-Gm-Message-State: AMCzsaXlT6xAX0TFL8w09nR1t9d2KishQyGcyd6vTNySJsISrizNf1Ns CbCBYG4uSRtL2/i6R4+APDj39w== X-Google-Smtp-Source: AOwi7QCi/DuJyOP6m/9ILw09u2MQ+e4OT4j+vxT325okdVU2o8KdPZDuwJFf53lmftixunP5zGvgQA== X-Received: by 10.107.97.5 with SMTP id v5mr1896407iob.174.1506701237121; Fri, 29 Sep 2017 09:07:17 -0700 (PDT) Original-Received: from moondust.localdomain.nodomain.none ([72.143.113.194]) by smtp.gmail.com with ESMTPSA id i15sm1848841iod.18.2017.09.29.09.07.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 29 Sep 2017 09:07:16 -0700 (PDT) In-Reply-To: <837ewh8x5z.fsf@gnu.org> (Eli Zaretskii's message of "Fri, 29 Sep 2017 16:14:00 +0300") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:137605 Archived-At: At 16:14 +0300 on Friday 2017-09-29, Eli Zaretskii wrote: > >> >>>>> Paul Eggert writes: >> >> > As Glenn noted, the 'configure' message N. mentions came from >> > an uneasy compromise between worry about the default >> > lack-of-security in Emacs, and worry about backward >> > compatibility (see Bug#26102). Although I favor making >> > --without-pop the default, at this point it's really an issue >> > for the two maintainers to decide. > > I already agreed in > http://lists.gnu.org/archive/html/emacs-devel/2017-08/msg00054.html > to have --without-pop be the default, and Paul already installed > a patch to do that. And yet --without-pop does not appear to be the default here on the emacs-26 branch. I updated a few minutes ago (commit 61225964edbaa01e49a6e776af00502ab31767b5), and running configure writes the following to stderr: configure: WARNING: Your version of Gtk+ will have problems with closing open displays. This is no problem if you just use one display, but if you use more than one and close one of them Emacs may crash. See http://bugzilla.gnome.org/show_bug.cgi?id=85715 configure: WARNING: This configuration installs a 'movemail' program that retrieves POP3 email via only insecure channels. To omit insecure POP3, you can use './configure --without-pop'. > So I'm confused about this discussion: what exactly is the > problem, and what needs to be done/decided? The problem is that --without-pop is not the default, or at least that it appears that it is not the default. The general agreement seems to be that it should be the default. N.