From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#28597: 26.0.60; [Security] Configure should use --without-pop by default Date: Mon, 2 Oct 2017 11:23:05 -0700 Organization: UCLA Computer Science Department Message-ID: References: <837ewh8x5z.fsf@gnu.org> <87r2upd2h5.fsf@gmail.com> <83a81d7666.fsf@gnu.org> <87h8vl1db2.fsf@gmail.com> <873771wm1y.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------C28F3EE0326DE1C2AF63E00D" X-Trace: blaine.gmane.org 1506968655 15600 195.159.176.226 (2 Oct 2017 18:24:15 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 2 Oct 2017 18:24:15 +0000 (UTC) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 Cc: jwiegley@gmail.com, 28597@debbugs.gnu.org, nljlistbox2@gmail.com To: Robert Pluim , Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Oct 02 20:24:07 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dz5Nu-0003Ia-PA for geb-bug-gnu-emacs@m.gmane.org; Mon, 02 Oct 2017 20:24:07 +0200 Original-Received: from localhost ([::1]:53651 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dz5O1-0004Bf-Rg for geb-bug-gnu-emacs@m.gmane.org; Mon, 02 Oct 2017 14:24:13 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56028) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dz5Nw-0004BM-2M for bug-gnu-emacs@gnu.org; Mon, 02 Oct 2017 14:24:09 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dz5Nq-0006Lm-3F for bug-gnu-emacs@gnu.org; Mon, 02 Oct 2017 14:24:08 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:35848) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dz5Np-0006LZ-VT for bug-gnu-emacs@gnu.org; Mon, 02 Oct 2017 14:24:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dz5Np-0002Bc-Pr for bug-gnu-emacs@gnu.org; Mon, 02 Oct 2017 14:24:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 02 Oct 2017 18:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28597 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 28597-submit@debbugs.gnu.org id=B28597.15069686008348 (code B ref 28597); Mon, 02 Oct 2017 18:24:01 +0000 Original-Received: (at 28597) by debbugs.gnu.org; 2 Oct 2017 18:23:20 +0000 Original-Received: from localhost ([127.0.0.1]:44529 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dz5NA-0002AZ-9N for submit@debbugs.gnu.org; Mon, 02 Oct 2017 14:23:20 -0400 Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45418) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dz5N8-0002AM-HT for 28597@debbugs.gnu.org; Mon, 02 Oct 2017 14:23:19 -0400 Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 820B2160E00; Mon, 2 Oct 2017 11:23:11 -0700 (PDT) Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id voNuByNgei21; Mon, 2 Oct 2017 11:23:06 -0700 (PDT) Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 91837160E05; Mon, 2 Oct 2017 11:23:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id STh56O4gp_Ev; Mon, 2 Oct 2017 11:23:06 -0700 (PDT) Original-Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 77FBF160E01; Mon, 2 Oct 2017 11:23:06 -0700 (PDT) In-Reply-To: <873771wm1y.fsf@gmail.com> Content-Language: en-US X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:137800 Archived-At: This is a multi-part message in MIME format. --------------C28F3EE0326DE1C2AF63E00D Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Thanks for working on this. However, Eli asked for --with-pop to remain the default on native MS-Windows. Also, I found the newly-added warnings confusing (though admittedly everything is confusing here :-). How about the attached patch instead? It does not change the configure-time warnings. It merely changes the default, so that --without-pop is now the default on platforms other than native MS-Windows. --------------C28F3EE0326DE1C2AF63E00D Content-Type: text/x-patch; name="0001-with-pop-is-now-the-default-only-on-MS-Windows.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename*0="0001-with-pop-is-now-the-default-only-on-MS-Windows.patch" >From 0e6c02134df40b56ca3b100ae0cc1a9d957a6e7f Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 2 Oct 2017 11:17:36 -0700 Subject: [PATCH] --with-pop is now the default only on MS-Windows Problem reported by N. Jackson (Bug#28597). This improves an earlier suggestion by Robert Pluim (Bug#28597#47). * INSTALL, configure.ac, etc/NEWS: Make --with-pop the default only on native MS-Windows. --- INSTALL | 6 ++++-- configure.ac | 19 +++++++++++++------ etc/NEWS | 5 +++-- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/INSTALL b/INSTALL index e76e843ce2..e93b3064fc 100644 --- a/INSTALL +++ b/INSTALL @@ -273,8 +273,10 @@ a POP3 server by default. Versions of the POP protocol older than POP3 are not supported. While POP3 support is typically enabled, whether Emacs actually uses POP3 is controlled by individual users; see the Rmail chapter of the Emacs manual. Unless --with-mailutils is -in effect, it is a good idea to configure --without-pop so that users -are less likely to inadvertently read email via insecure channels. +in effect, it is a good idea to configure without POP3 support so that +users are less likely to inadvertently read email via insecure +channels. On native MS-Windows, --with-pop is the default; on other +platforms, --without-pop is the default. For image support you may have to download, build, and install the appropriate image support libraries for image types other than XBM and diff --git a/configure.ac b/configure.ac index eb2c684040..3feac73bed 100644 --- a/configure.ac +++ b/configure.ac @@ -232,9 +232,9 @@ AC_DEFUN m4_bpatsubst([with_$1], [[^0-9a-z]], [_])=$with_features])dnl ])dnl -# FIXME: The default options '--without-mailutils --with-pop' result -# in a movemail implementation that supports only unencrypted POP3 -# connections. Encrypted connections should be the default. +# For retrieving mail, unencrypted network connections are the default +# only on native MS-Windows platforms. (FIXME: These platforms should +# also be secure by default.) AC_ARG_WITH([mailutils], [AS_HELP_STRING([--with-mailutils], @@ -251,9 +251,16 @@ AC_DEFUN fi AC_SUBST([with_mailutils]) -OPTION_DEFAULT_ON([pop], - [don't support POP mail retrieval with movemail (--without-pop or - --with-mailutils is recommended, as movemail POP is insecure)]) +AC_ARG_WITH([pop], + [AS_HELP_STRING([--with-pop], + [Support POP mail retrieval if Emacs movemail is used (not recommended, + as Emacs movemail POP is insecure). This is the default only on + native MS-Windows.])], + [], + [case $host in + *-mingw*) with_pop=yes;; + *) with_pop=no;; + esac]) if test "$with_pop" = yes; then AC_DEFINE(MAIL_USE_POP) fi diff --git a/etc/NEWS b/etc/NEWS index b734e8dd19..62d2450f9a 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -35,8 +35,9 @@ GNU Mailutils to retrieve email. It is recommended, and is the default if GNU Mailutils is installed. When --with-mailutils is not in effect, the Emacs build procedure by default continues to build and install a limited 'movemail' substitute that retrieves POP3 email only -via insecure channels; to avoid this problem, use either ---with-mailutils or --without-pop when configuring. +via insecure channels. To avoid this problem, use either +--with-mailutils or --without-pop when configuring; --without-pop +is the default on platforms other than native MS-Windows. ** The new option 'configure --enable-gcc-warnings=warn-only' causes GCC to issue warnings without stopping the build. This behavior is -- 2.13.6 --------------C28F3EE0326DE1C2AF63E00D--