* Alerting users to new releases
@ 2017-09-12 21:59 Perry E. Metzger
2017-09-12 23:35 ` Etienne Prud’homme
2017-09-12 23:37 ` Clément Pit-Claudel
0 siblings, 2 replies; 6+ messages in thread
From: Perry E. Metzger @ 2017-09-12 21:59 UTC (permalink / raw)
To: Emacs Devel
As it stands, when a security vuln shows up, and a new release gets
pushed out, there isn't a good way to alert the vast majority of
users to its presence.
One way such things are handled these days for a lot of projects is
to have the code periodically check if a newer version of the
software is available.
Would it be reasonable if a feature was added to Emacs to alert the
user that a newer version of Emacs existed? Or would the potential
privacy issues, even if the check could be turned off, exceed the
benefit?
Perry
--
Perry E. Metzger perry@piermont.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Alerting users to new releases
2017-09-12 21:59 Alerting users to new releases Perry E. Metzger
@ 2017-09-12 23:35 ` Etienne Prud’homme
2017-09-21 20:05 ` Phillip Lord
2017-09-12 23:37 ` Clément Pit-Claudel
1 sibling, 1 reply; 6+ messages in thread
From: Etienne Prud’homme @ 2017-09-12 23:35 UTC (permalink / raw)
To: Perry E. Metzger; +Cc: Emacs Devel
"Perry E. Metzger" <perry@piermont.com> writes:
> Would it be reasonable if a feature was added to Emacs to alert the
> user that a newer version of Emacs existed? Or would the potential
> privacy issues, even if the check could be turned off, exceed the
> benefit?
I was actually thinking about the same thing!
We could of course allow an opt-in variable that would allow checking
for any vulnerability in the current GNU Emacs version installed, but
most people won’t be aware of it or won’t bother using it.
One way to get around it would be to use the ELPA protocol. When
downloading packages, there could be a file describing current
vulnerabilities and affected versions. The client will then warn the
user accordingly and allow displaying a custom message.
--
Etienne
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Alerting users to new releases
2017-09-12 21:59 Alerting users to new releases Perry E. Metzger
2017-09-12 23:35 ` Etienne Prud’homme
@ 2017-09-12 23:37 ` Clément Pit-Claudel
2017-09-13 5:29 ` Sebastian Christ
1 sibling, 1 reply; 6+ messages in thread
From: Clément Pit-Claudel @ 2017-09-12 23:37 UTC (permalink / raw)
To: emacs-devel
On 2017-09-12 23:59, Perry E. Metzger wrote:
> As it stands, when a security vuln shows up, and a new release gets
> pushed out, there isn't a good way to alert the vast majority of
> users to its presence.
>
> One way such things are handled these days for a lot of projects is
> to have the code periodically check if a newer version of the
> software is available.
>
> Would it be reasonable if a feature was added to Emacs to alert the
> user that a newer version of Emacs existed? Or would the potential
> privacy issues, even if the check could be turned off, exceed the
> benefit?
>
> Perry
I think this would fit nicely in package.el
We could have an emacs-upgrade-notifications package on ELPA. We'd update it when we release an updated Emacs.
From its autoloads, the package would announce the new release.
People would only get the notification if they refresh their package list, which already involves downloading remote data.
Or we could simply have package.el detect new versions, somehow.
Clément.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Alerting users to new releases
2017-09-12 23:37 ` Clément Pit-Claudel
@ 2017-09-13 5:29 ` Sebastian Christ
2017-09-13 12:18 ` Stefan Monnier
0 siblings, 1 reply; 6+ messages in thread
From: Sebastian Christ @ 2017-09-13 5:29 UTC (permalink / raw)
To: emacs-devel
>>>>> "CP" == Clément Pit-Claudel <cpitclaudel@gmail.com> writes:
CP> I think this would fit nicely in package.el
CP> We could have an emacs-upgrade-notifications package on
CP> ELPA. We'd update it when we release an updated Emacs. From its
CP> autoloads, the package would announce the new release. People
CP> would only get the notification if they refresh their package
CP> list, which already involves downloading remote data.
But what about those people (like me) that don't use package.el or ELPA?
I'd really like to have this feature, but I don't want to be forced to
use package.el or ELPA.
Best,
Sebastian
--
Sebastian (Rudolfo) Christ
http://rudolfochrist.github.io
GPG Fingerprint: 306D 8FD3 DFB6 4E44 5061
CE71 6407 D6F8 2AC5 55DD
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Alerting users to new releases
2017-09-13 5:29 ` Sebastian Christ
@ 2017-09-13 12:18 ` Stefan Monnier
0 siblings, 0 replies; 6+ messages in thread
From: Stefan Monnier @ 2017-09-13 12:18 UTC (permalink / raw)
To: emacs-devel
> But what about those people (like me) that don't use package.el or ELPA?
> I'd really like to have this feature, but I don't want to be forced to
> use package.el or ELPA.
GNU ELPA can be used from package.el or with your browser by downloading
the tarball and doing all the usual manual setup.
Stefan
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Alerting users to new releases
2017-09-12 23:35 ` Etienne Prud’homme
@ 2017-09-21 20:05 ` Phillip Lord
0 siblings, 0 replies; 6+ messages in thread
From: Phillip Lord @ 2017-09-21 20:05 UTC (permalink / raw)
To: Etienne Prud’homme; +Cc: Emacs Devel, Perry E. Metzger
Etienne Prud’homme <e.e.f.prudhomme@gmail.com> writes:
> "Perry E. Metzger" <perry@piermont.com> writes:
>
>> Would it be reasonable if a feature was added to Emacs to alert the
>> user that a newer version of Emacs existed? Or would the potential
>> privacy issues, even if the check could be turned off, exceed the
>> benefit?
>
> I was actually thinking about the same thing!
>
> We could of course allow an opt-in variable that would allow checking
> for any vulnerability in the current GNU Emacs version installed, but
> most people won’t be aware of it or won’t bother using it.
>
> One way to get around it would be to use the ELPA protocol. When
> downloading packages, there could be a file describing current
> vulnerabilities and affected versions. The client will then warn the
> user accordingly and allow displaying a custom message.
There has already been a discussion about a security patches
package. Surely this is the same thing? I mean, you add a "release"
package. New release happens, "release" on ELPA gets updated.
If 26.0 checked for new packages and auto-upgraded "security" and
"release", then we would have everything we need.
Phil
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-09-21 20:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-12 21:59 Alerting users to new releases Perry E. Metzger
2017-09-12 23:35 ` Etienne Prud’homme
2017-09-21 20:05 ` Phillip Lord
2017-09-12 23:37 ` Clément Pit-Claudel
2017-09-13 5:29 ` Sebastian Christ
2017-09-13 12:18 ` Stefan Monnier
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).