From: Ulrich Mueller <ulm@gentoo.org>
To: rms@gnu.org
Cc: eggert@cs.ucla.edu, winkler@gnu.org, emacs-devel@gnu.org
Subject: Re: [ANNOUNCE] Emacs 25.3 released
Date: Thu, 14 Sep 2017 08:37:18 +0200 [thread overview]
Message-ID: <22970.9118.120245.720675@a1i15.kph.uni-mainz.de> (raw)
In-Reply-To: <E1dsJAx-0006ho-V6@fencepost.gnu.org>
>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:
>> Please don't. That would break the download for distros who rely on
>> pristine upstream sources and apply separate patches. For example,
>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>> enriched-mode).
> So how do we inform people not to download the broken versions?
Bugs (security or other) happen all the time, so most old versions
will be broken in some way. In spite of that, I am not aware of any
project that is renaming its old tarballs.
It is also not the first time there is a security bug in GNU Emacs
(although it's been a while since the last one). A quick search shows
CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
tramp.el. No renaming of tarballs took place, neither for that issue
(which affected Emacs 24.3) nor for any previous ones.
I would also assume that users will generally download only the latest
version of any given software, and that they are aware that old
versions can contain bugs.
> If Gentoo will have a patch to fix that version,
> can't the same patch put in the new file name of that version?
Sure, we could update the filename in our ebuild. Which would mean
more work though. We have some 19000 packages in the distro, and
there's other work to do than monitoring if upstream tarballs have
been renamed.
Ulrich
next prev parent reply other threads:[~2017-09-14 6:37 UTC|newest]
Thread overview: 119+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-11 20:52 [ANNOUNCE] Emacs 25.3 released Nicolas Petton
2017-09-12 8:48 ` Andreas Schwab
2017-09-12 11:29 ` Nicolas Petton
2017-09-12 11:56 ` Andreas Schwab
2017-09-12 12:10 ` Rostislav Svoboda
2017-09-12 12:42 ` Eli Zaretskii
2017-09-12 12:44 ` Clément Pit-Claudel
2017-09-12 12:55 ` Nicolas Petton
2017-09-12 13:03 ` Andreas Schwab
2017-09-12 13:29 ` Rostislav Svoboda
2017-09-12 15:25 ` Eli Zaretskii
2017-09-12 15:48 ` Andreas Schwab
2017-09-12 15:55 ` Paul Eggert
2017-09-12 16:38 ` Eli Zaretskii
2017-09-12 18:26 ` Nicolas Petton
2017-09-12 19:09 ` Nicolas Petton
2017-09-12 16:38 ` Eli Zaretskii
2017-09-12 18:39 ` Nicolas Petton
2017-09-13 6:49 ` Andreas Schwab
2017-09-12 16:42 ` Rostislav Svoboda
2017-09-12 16:54 ` Eli Zaretskii
2017-09-12 18:38 ` Nicolas Petton
2017-09-12 18:57 ` Eli Zaretskii
2017-09-12 19:00 ` Robert Weiner
2017-09-12 20:49 ` martin rudalics
2017-09-12 22:05 ` Rostislav Svoboda
2017-09-12 23:39 ` Clément Pit-Claudel
2017-09-13 16:18 ` Tino Calancha
2017-09-13 16:39 ` Richard Stallman
2017-09-20 22:32 ` Tim Cross
2017-09-21 7:25 ` Richard Copley
2017-09-21 7:56 ` Eli Zaretskii
2017-09-21 18:53 ` Richard Copley
2017-09-21 19:15 ` Eli Zaretskii
2017-09-21 19:26 ` Richard Copley
2017-09-21 20:56 ` Phillip Lord
2017-09-22 7:08 ` Eli Zaretskii
2017-09-22 15:29 ` Richard Stallman
2017-09-27 10:18 ` Phillip Lord
2017-09-29 9:54 ` Stephen Leake
2017-09-29 10:46 ` Phillip Lord
2017-09-29 12:46 ` Richard Copley
2017-10-02 11:54 ` Phillip Lord
2017-09-30 7:22 ` Stephen Leake
2017-09-21 20:37 ` Phillip Lord
2017-09-22 2:02 ` Stephen Leake
2017-09-22 7:04 ` Eli Zaretskii
2017-09-12 15:22 ` Eli Zaretskii
2017-09-12 15:47 ` Andreas Schwab
2017-09-12 16:37 ` Eli Zaretskii
2017-09-13 6:45 ` Andreas Schwab
2017-09-13 6:50 ` Andreas Schwab
2017-09-13 7:07 ` Paul Eggert
2017-09-13 7:40 ` Nicolas Petton
2017-09-13 8:53 ` Paul Eggert
2017-09-13 8:57 ` Rostislav Svoboda
2017-09-13 14:51 ` Eli Zaretskii
2017-09-13 14:34 ` Eli Zaretskii
2017-09-13 8:24 ` Eli Zaretskii
2017-09-13 8:27 ` Andreas Schwab
2017-09-13 8:42 ` Eli Zaretskii
2017-09-13 8:48 ` Andreas Schwab
2017-09-13 14:36 ` Eli Zaretskii
2017-09-13 15:12 ` Mike Gerwitz
2017-09-13 15:57 ` Eli Zaretskii
2017-09-13 18:14 ` Nicolas Petton
2017-09-19 23:36 ` John Wiegley
2017-09-12 15:17 ` Eli Zaretskii
2017-09-12 22:13 ` Richard Stallman
2017-09-14 14:19 ` Jorge A. Alfaro-Murillo
2017-09-14 20:50 ` Richard Stallman
2017-09-13 1:41 ` Stefan Monnier
2017-09-12 12:40 ` Eli Zaretskii
2017-09-12 16:05 ` Philippe Vaucher
2017-09-12 16:30 ` Paul Eggert
2017-09-12 16:52 ` Eli Zaretskii
2017-09-12 18:26 ` Thien-Thi Nguyen
2017-09-12 18:49 ` Eli Zaretskii
2017-09-13 16:39 ` Richard Stallman
2017-09-13 16:39 ` Richard Stallman
2017-09-14 6:51 ` Thien-Thi Nguyen
2017-09-15 8:01 ` Eli Zaretskii
2017-09-12 16:40 ` Eli Zaretskii
2017-09-14 11:15 ` Philippe Vaucher
2017-09-12 22:11 ` Timur Aydin
2017-09-12 22:16 ` Richard Stallman
2017-09-12 16:06 ` Roland Winkler
2017-09-12 16:41 ` Paul Eggert
2017-09-12 16:54 ` Roland Winkler
2017-09-12 17:12 ` Eli Zaretskii
2017-09-12 17:40 ` Paul Eggert
2017-09-12 17:57 ` Eli Zaretskii
2017-09-12 18:29 ` Nicolas Petton
2017-09-13 16:39 ` Richard Stallman
2017-09-13 19:36 ` Ulrich Mueller
2017-09-14 1:42 ` Richard Stallman
2017-09-14 6:37 ` Ulrich Mueller [this message]
2017-09-14 13:24 ` Etienne Prud’homme
2017-09-14 15:01 ` Nicolas Petton
2017-09-14 20:52 ` [ANNOUNCE] " Richard Stallman
2017-09-12 16:42 ` Eli Zaretskii
2017-09-12 17:46 ` Phillip Lord
2017-09-13 1:46 ` Stefan Monnier
2017-09-14 19:49 ` security-patches package (was: [ANNOUNCE] Emacs 25.3 released) Ted Zlatanov
2017-09-15 12:32 ` security-patches package Stefan Monnier
2017-09-16 15:50 ` Ted Zlatanov
2017-09-21 20:01 ` Phillip Lord
2017-09-22 3:12 ` Stefan Monnier
[not found] ` <878th32hzx.fsf@russet.org.uk>
2017-09-25 10:24 ` Phillip Lord
2017-09-22 12:59 ` Ted Zlatanov
2017-09-23 4:15 ` Stephen Leake
2017-09-12 23:45 ` Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released Clément Pit-Claudel
2017-09-14 10:05 ` Phillip Lord
2017-09-18 0:03 ` Richard Stallman
2017-09-18 7:48 ` Nicolas Petton
2017-09-18 11:38 ` Stefan Monnier
2017-09-18 20:31 ` Richard Stallman
2017-09-18 20:30 ` Richard Stallman
2017-09-13 18:40 ` Charles A. Roelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22970.9118.120245.720675@a1i15.kph.uni-mainz.de \
--to=ulm@gentoo.org \
--cc=eggert@cs.ucla.edu \
--cc=emacs-devel@gnu.org \
--cc=rms@gnu.org \
--cc=winkler@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).