unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Tim Cross <theophilusx@gmail.com>
To: Eli Zaretskii <eliz@gnu.org>
Cc: lux <lx@shellcodes.org>, comms@dabrev.com, emacs-devel@gnu.org
Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28
Date: Wed, 15 Feb 2023 07:10:58 +1100	[thread overview]
Message-ID: <86ttzougu2.fsf@gmail.com> (raw)
In-Reply-To: <838rh0e64j.fsf@gnu.org>


Eli Zaretskii <eliz@gnu.org> writes:

>> From: lux <lx@shellcodes.org>
>> Cc: emacs-devel@gnu.org
>> Date: Tue, 14 Feb 2023 13:07:44 +0800
>> 
>> Hi, I can fix the CVE-2022-45939, this is a patch.
>
> We don't need a patch for that, we just need to cherry-pick the
> related commits from emacs-29.
>
> But that is not what the OP requested: he requested that we also
> produce an Emacs 28.3 release.  And that is a much larger job, for
> which we currently don't have the time or resources.

While I understand the resourcing issues, I think this is the wrong
decision. We are in the situation where the current released version of
Emacs has a known security exploit with a severity classification of
high (although this assessment seems to be under review) and the
response seems to be "Sorry, we are too busy trying to get the next
version released to deal with this". If we were actually close to an
Emacs 29 release, then perhaps this would be reasonable, but we don't
even have a release candidate out yet.

Failing to address a high security vulnerability for months is a
disservice for the emacs user base and likely to be a blight on Emacs'
reputation and only provides those against free software with free
ammunition. In addition to the technical aspects of a security
vulnerability, perception is just as important. While the specific
technical aspects of this vulnerability would seem to indicate only a
subset of etags users are actually exposed to this risk, such detail is
likely to be lost amongst the FUD which tends to accompany security
issues. 




  parent reply	other threads:[~2023-02-14 20:10 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark>
2023-02-13 18:15 ` Request to backport fix for CVE-2022-45939 to Emacs 28 Troy Hinckley
2023-02-13 20:47   ` Eli Zaretskii
2023-02-14  5:07     ` lux
2023-02-14 13:19       ` Eli Zaretskii
2023-02-14 16:09         ` Troy Hinckley
2023-02-14 17:04           ` Eli Zaretskii
2023-02-17  1:44           ` Lynn Winebarger
2023-02-17  2:35             ` lux
2023-02-14 20:10         ` Tim Cross [this message]
2023-02-15  8:32           ` Robert Pluim
2023-02-18  4:19             ` Richard Stallman
2023-02-15 12:28           ` Eli Zaretskii
2023-02-16 17:50           ` Richard Stallman
2023-02-16 20:02             ` Eli Zaretskii
2023-02-16 20:41               ` Jim Porter
2023-02-16 20:52                 ` Eli Zaretskii
2023-02-17 10:26               ` Stefan Kangas
2023-02-17 10:38                 ` Robert Pluim
2023-02-17 12:33                 ` Eli Zaretskii
2023-02-17 14:01                   ` Stefan Kangas
2023-02-17 17:37                     ` lux
2023-02-18  6:54                     ` lux
2023-02-19 20:33                     ` Corwin Brust
2023-02-21 14:54                 ` Michael Albinus
2023-02-19  4:47               ` Richard Stallman
2023-02-19  7:05                 ` Eli Zaretskii
2023-02-14  8:13     ` Robert Pluim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=86ttzougu2.fsf@gmail.com \
    --to=theophilusx@gmail.com \
    --cc=comms@dabrev.com \
    --cc=eliz@gnu.org \
    --cc=emacs-devel@gnu.org \
    --cc=lx@shellcodes.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).