From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Kelly Dean Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Thu, 08 Jan 2015 05:29:44 +0000 Message-ID: References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1420695122 20008 80.91.229.3 (8 Jan 2015 05:32:02 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 8 Jan 2015 05:32:02 +0000 (UTC) Cc: 19479@debbugs.gnu.org To: Glenn Morris Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Jan 08 06:31:55 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y95gd-0001zv-Jm for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 Jan 2015 06:31:11 +0100 Original-Received: from localhost ([::1]:44121 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y95gc-0003DN-F9 for geb-bug-gnu-emacs@m.gmane.org; Thu, 08 Jan 2015 00:31:10 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:40785) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y95gY-0003DG-QX for bug-gnu-emacs@gnu.org; Thu, 08 Jan 2015 00:31:07 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y95gU-0007Gr-OG for bug-gnu-emacs@gnu.org; Thu, 08 Jan 2015 00:31:06 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:58620) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y95gU-0007Gk-Kf for bug-gnu-emacs@gnu.org; Thu, 08 Jan 2015 00:31:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y95gU-0001fD-B1 for bug-gnu-emacs@gnu.org; Thu, 08 Jan 2015 00:31:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Kelly Dean Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 08 Jan 2015 05:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.14206950446369 (code B ref 19479); Thu, 08 Jan 2015 05:31:02 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 8 Jan 2015 05:30:44 +0000 Original-Received: from localhost ([127.0.0.1]:39753 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y95gB-0001ee-7Q for submit@debbugs.gnu.org; Thu, 08 Jan 2015 00:30:44 -0500 Original-Received: from relay4-d.mail.gandi.net ([217.70.183.196]:52157) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y95g5-0001eS-C0 for 19479@debbugs.gnu.org; Thu, 08 Jan 2015 00:30:39 -0500 Original-Received: from mfilter9-d.gandi.net (mfilter9-d.gandi.net [217.70.178.138]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id C11BC17209A; Thu, 8 Jan 2015 06:30:35 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter9-d.gandi.net Original-Received: from relay4-d.mail.gandi.net ([217.70.183.196]) by mfilter9-d.gandi.net (mfilter9-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id eGgtsvloA1bl; Thu, 8 Jan 2015 06:30:34 +0100 (CET) X-Originating-IP: 162.248.99.114 Original-Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net [162.248.99.114]) (Authenticated sender: kelly@prtime.org) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 1CA0717207C; Thu, 8 Jan 2015 06:30:32 +0100 (CET) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:98107 Archived-At: Glenn Morris wrote: > I appreciate the spirit of wanting to provide a patch, but unless you > have changed your position on the Emacs copyright assignment, I don't > see that this patch can be used by Emacs. I did do what you requested: submit a bug report, but not a patch. But th= is isn't just a bug; it's a security vulnerability, and Stefan invited me= to submit a patch to fix it. So then I did. Regarding the copyright issue, please don't conflate two separate issues = like your copyright clerk tried to. The first issue is: does the FSF want any more public domain code in Emac= s than is already there? The answer is =E2=80=9Fno=E2=80=9D, as explained= by Donald R Robertson III, your copyright clerk, on February 19, 2013. W= hen explaining why the FSF wouldn't accept my PD code, he wrote, =E2=80=9F= It really is more beneficial for our enforcement efforts if we get the wo= rk assigned instead of 'disclaimed'. We will only accept a disclaimer ins= tead of an assignment in particular circumstances.=E2=80=9D Of course, he's right; PD code isn't useful for your enforcement efforts,= but it's absurd to say it's an issue for my patches, which even includin= g this latest one, amount to no more than a few parts per million of the = Emacs code base. Obviously it doesn't hurt your efforts; no copyright jud= ge is going to care if Emacs has a few lines of Hamlet or any other PD in= formation in it. The judge will let you sue people for GPL violations jus= t the same. Anyway, the first issue is clear: new PD code is unwelcome in Emacs. Emac= s is your project, not mine, so regardless of how silly I think your excl= usion of PD code is, I abided (and still abide) by your wishes. I submitt= ed this patch because Stefan invited me to. Maybe Stefan just forgot that= you asked me not to submit any more patches, but I assumed he invited th= is patch because a security vulnerability counted as a =E2=80=9Fparticula= r circumstance=E2=80=9D that your copyright clerk mentioned. The second issue is: is my code in the public domain? The answer is =E2=80= =9Fyes=E2=80=9D; the author of SQLite says that's PD, and it is, the auth= or of Qmail says that's PD, and it is, and I'm simply doing the same thin= g they are. My code is in the public domain. If you want, I can PGP-sign = and publish on my website a statement that my patches are PD, even though= that's more than the authors of SQLite and Qmail deemed necessary for th= eir code. Your clerk wrote, =E2=80=9Fplacing a work in the public domain is difficu= lt/may not be possible=E2=80=9D. But that's obviously false, as proven by= his statement that you do (sometimes) accept disclaimers, and as proven = by the general legal acceptance of other people's statements that their w= ork is PD, including highly respected authors such as Richard Hipp. It's clear that the second issue is not an issue, especially in the Unite= d States, which is where I am, and the only purpose served by the FSF bri= nging it up is clouding the first issue, which is the only real issue. I recommend not rejecting a patch to fix a security vulnerability just fo= r the sake of keeping 29 lines of new PD code out of Emacs. If it really = is too much PD code, then I recommend deleting feedmail.el (PD) to compen= sate.