From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28
Date: Wed, 15 Feb 2023 14:28:01 +0200
Message-ID: <837cwjcdv2.fsf@gnu.org>
References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark>
 <09998122-0110-454f-94d1-e29c37b833f4@Spark> <83sff9e1is.fsf@gnu.org>
 <tencent_EFC6F74E5CBE2EFC25F8831372C6B926AD05@qq.com>
 <838rh0e64j.fsf@gnu.org> <86ttzougu2.fsf@gmail.com>
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="2429"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: lx@shellcodes.org, comms@dabrev.com, emacs-devel@gnu.org
To: Tim Cross <theophilusx@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Feb 15 13:29:03 2023
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1pSGuF-0000Qy-M9
	for ged-emacs-devel@m.gmane-mx.org; Wed, 15 Feb 2023 13:29:03 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1pSGta-00044Q-OB; Wed, 15 Feb 2023 07:28:22 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>) id 1pSGtZ-00044H-QR
 for emacs-devel@gnu.org; Wed, 15 Feb 2023 07:28:21 -0500
Original-Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1pSGtX-0008Q1-Pb; Wed, 15 Feb 2023 07:28:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=keT1HsjNvwMTYAccPXvXoYdgZsuDpvV7OsZ08ALmBSA=; b=MaxpCN8C3vVe
 CUILMQwM2lc9c9U/1i9bBJ7Mq/ijmo9pMoDLbGeIEfuGLkbdtTg6BNTAEdcdJp7cgfcuClgIB9AXP
 5AQQCjE6hZbQHuAqxvLaIucXZ5G6bj3yjJfF7iblpZydiEFvusjM6wpJkxBdMylEEvUHj6PjeBBSM
 JPD8ceqdGFOa4uobVyHaO+CShjImprntQqgOIkrUy26urggtvzWG+iOGUHgISDYIwNczNbn3oOdJa
 BFVgkcvoMJCqPi7geYWQajn8/kLzlZFTpwqJH33aoAljvgdy6q/+nTeTs4j8P2fpzMODuZcipd9Pj
 2rUS+VDvzbkEePxLdt9SZA==;
Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1pSGtX-0002I8-9H; Wed, 15 Feb 2023 07:28:19 -0500
In-Reply-To: <86ttzougu2.fsf@gmail.com> (message from Tim Cross on Wed, 15 Feb
 2023 07:10:58 +1100)
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:303301
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/303301>

> From: Tim Cross <theophilusx@gmail.com>
> Cc: lux <lx@shellcodes.org>, comms@dabrev.com, emacs-devel@gnu.org
> Date: Wed, 15 Feb 2023 07:10:58 +1100
> 
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > But that is not what the OP requested: he requested that we also
> > produce an Emacs 28.3 release.  And that is a much larger job, for
> > which we currently don't have the time or resources.
> 
> While I understand the resourcing issues, I think this is the wrong
> decision. We are in the situation where the current released version of
> Emacs has a known security exploit with a severity classification of
> high (although this assessment seems to be under review) and the
> response seems to be "Sorry, we are too busy trying to get the next
> version released to deal with this". If we were actually close to an
> Emacs 29 release, then perhaps this would be reasonable, but we don't
> even have a release candidate out yet.
> 
> Failing to address a high security vulnerability for months is a
> disservice for the emacs user base and likely to be a blight on Emacs'
> reputation and only provides those against free software with free
> ammunition. In addition to the technical aspects of a security
> vulnerability, perception is just as important. While the specific
> technical aspects of this vulnerability would seem to indicate only a
> subset of etags users are actually exposed to this risk, such detail is
> likely to be lost amongst the FUD which tends to accompany security
> issues. 

Would you like to work on preparing an Emacs 28.3 tarball?  The
instructions are in admin/make-tarball.txt and a couple of additional
files to which it points.

TIA