From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: David Engster <david@engster.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#33587: [PROPOSED] Default to disabling ImageMagick
Date: Tue, 04 Dec 2018 18:38:59 +0100
Message-ID: <87pnuhkx8s.fsf@randomsample>
References: <20181202180919.32270-1-eggert@cs.ucla.edu>
	<4qo9a2xwb6.fsf@fencepost.gnu.org> <87tvjtkzgg.fsf@randomsample>
	<ds36rdjkfz.fsf@fencepost.gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1543945092 10294 195.159.176.226 (4 Dec 2018 17:38:12 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 4 Dec 2018 17:38:12 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Cc: Paul Eggert <eggert@cs.ucla.edu>, 33587@debbugs.gnu.org
To: Glenn Morris <rgm@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Dec 04 18:38:08 2018
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1gUEe5-0002Vv-KG
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 04 Dec 2018 18:38:05 +0100
Original-Received: from localhost ([::1]:58274 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1gUEgC-00011m-DG
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 04 Dec 2018 12:40:16 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58642)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gUEg5-0000qr-DA
	for bug-gnu-emacs@gnu.org; Tue, 04 Dec 2018 12:40:10 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gUEfz-0008D5-I5
	for bug-gnu-emacs@gnu.org; Tue, 04 Dec 2018 12:40:09 -0500
Original-Received: from debbugs.gnu.org ([208.118.235.43]:56660)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1gUEfz-0008Cx-Dk
	for bug-gnu-emacs@gnu.org; Tue, 04 Dec 2018 12:40:03 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1gUEfy-0004oO-VZ
	for bug-gnu-emacs@gnu.org; Tue, 04 Dec 2018 12:40:03 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: David Engster <david@engster.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 04 Dec 2018 17:40:01 +0000
Resent-Message-ID: <handler.33587.B33587.154394514518410@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 33587
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 33587-submit@debbugs.gnu.org id=B33587.154394514518410
	(code B ref 33587); Tue, 04 Dec 2018 17:40:01 +0000
Original-Received: (at 33587) by debbugs.gnu.org; 4 Dec 2018 17:39:05 +0000
Original-Received: from localhost ([127.0.0.1]:60918 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gUEf2-0004mr-Ks
	for submit@debbugs.gnu.org; Tue, 04 Dec 2018 12:39:04 -0500
Original-Received: from randomsample.de ([5.45.97.173]:49484)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <david@engster.org>) id 1gUEez-0004mQ-Dd
	for 33587@debbugs.gnu.org; Tue, 04 Dec 2018 12:39:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=randomsample.de; s=a; 
	h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From;
	bh=5sLKWxy2/LY/BNMtUZ30y4fGwxkIqdyYGBDnjgUE//o=; 
	b=NrS5iOKbmMocFTafMHzMlpzva9/uH/aewtixBjp9dFJEv45rdIFSEsP0vGWpWElTTQZ0DHd9y/AplwtP2CKTETlvndmVRIxis3t+iqs03456AbkN3h0vncTzzqI4vB+i;
Original-Received: from ip4d1684c5.dynamic.kabel-deutschland.de ([77.22.132.197]
	helo=void)
	by randomsample.de with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
	(Exim 4.80) (envelope-from <david@engster.org>)
	id 1gUEey-00081h-39; Tue, 04 Dec 2018 18:39:00 +0100
In-Reply-To: <ds36rdjkfz.fsf@fencepost.gnu.org> (Glenn Morris's message of
	"Tue, 04 Dec 2018 12:00:48 -0500")
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:153069
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/153069>

Glenn Morris writes:
> Note that Red Hat Enterprise Linux 8 _will_ drop ImageMagick completely
> (though it will probably be available from an add-on repository),
> presumably because they don't feel able to keep up with the security
> issues. That's what prompted me to first raise this in
>
> http://lists.gnu.org/r/emacs-devel/2018-12/msg00036.html

RHEL can do this because they're supporting way less packages than other
distributions. As you know, enterprise customers have other priorities
than home desktop users. Debian cannot remove Imagemagick because many
other packages depend on it, at least currently.

>> If for instance Debian has to take care of Imagemagick security issues
>> anyway, why shouldn't Emacs link to it?
>
> (For reference:
> https://security-tracker.debian.org/tracker/source-package/imagemagick )
>
> Because one can never guarantee all security issues are fixed, and if a
> project has a history of having a lot of them, it may be considered
> likely to be insecure. Also there are the various Emacs crash reports
> due to ImageMagick.

I understand the reasoning. To me, image scaling is essential for what
I'm doing with Emacs, so I'm willing to take that risk. But that's just
one data point.

Don't get me wrong: I don't object to disable it by default. Let's see
what happens. Maybe distributions will then disable it as well, but they
have their own ways to see how changes like these affect users (by
having an 'unstable' tree or whatever).

-David