unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Alerting users to new releases
@ 2017-09-12 21:59 Perry E. Metzger
  2017-09-12 23:35 ` Etienne Prud’homme
  2017-09-12 23:37 ` Clément Pit-Claudel
  0 siblings, 2 replies; 6+ messages in thread
From: Perry E. Metzger @ 2017-09-12 21:59 UTC (permalink / raw)
  To: Emacs Devel

As it stands, when a security vuln shows up, and a new release gets
pushed out, there isn't a good way to alert the vast majority of
users to its presence.

One way such things are handled these days for a lot of projects is
to have the code periodically check if a newer version of the
software is available.

Would it be reasonable if a feature was added to Emacs to alert the
user that a newer version of Emacs existed? Or would the potential
privacy issues, even if the check could be turned off, exceed the
benefit?

Perry
-- 
Perry E. Metzger		perry@piermont.com



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Alerting users to new releases
  2017-09-12 21:59 Alerting users to new releases Perry E. Metzger
@ 2017-09-12 23:35 ` Etienne Prud’homme
  2017-09-21 20:05   ` Phillip Lord
  2017-09-12 23:37 ` Clément Pit-Claudel
  1 sibling, 1 reply; 6+ messages in thread
From: Etienne Prud’homme @ 2017-09-12 23:35 UTC (permalink / raw)
  To: Perry E. Metzger; +Cc: Emacs Devel

"Perry E. Metzger" <perry@piermont.com> writes:

> Would it be reasonable if a feature was added to Emacs to alert the
> user that a newer version of Emacs existed? Or would the potential
> privacy issues, even if the check could be turned off, exceed the
> benefit?

I was actually thinking about the same thing!

We could of course allow an opt-in variable that would allow checking
for any vulnerability in the current GNU Emacs version installed, but
most people won’t be aware of it or won’t bother using it.

One way to get around it would be to use the ELPA protocol.  When
downloading packages, there could be a file describing current
vulnerabilities and affected versions.  The client will then warn the
user accordingly and allow displaying a custom message.

--
Etienne



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Alerting users to new releases
  2017-09-12 21:59 Alerting users to new releases Perry E. Metzger
  2017-09-12 23:35 ` Etienne Prud’homme
@ 2017-09-12 23:37 ` Clément Pit-Claudel
  2017-09-13  5:29   ` Sebastian Christ
  1 sibling, 1 reply; 6+ messages in thread
From: Clément Pit-Claudel @ 2017-09-12 23:37 UTC (permalink / raw)
  To: emacs-devel

On 2017-09-12 23:59, Perry E. Metzger wrote:
> As it stands, when a security vuln shows up, and a new release gets
> pushed out, there isn't a good way to alert the vast majority of
> users to its presence.
> 
> One way such things are handled these days for a lot of projects is
> to have the code periodically check if a newer version of the
> software is available.
> 
> Would it be reasonable if a feature was added to Emacs to alert the
> user that a newer version of Emacs existed? Or would the potential
> privacy issues, even if the check could be turned off, exceed the
> benefit?
> 
> Perry

I think this would fit nicely in package.el

We could have an emacs-upgrade-notifications package on ELPA. We'd update it when we release an updated Emacs.
From its autoloads, the package would announce the new release.
People would only get the notification if they refresh their package list, which already involves downloading remote data.

Or we could simply have package.el detect new versions, somehow.

Clément.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Alerting users to new releases
  2017-09-12 23:37 ` Clément Pit-Claudel
@ 2017-09-13  5:29   ` Sebastian Christ
  2017-09-13 12:18     ` Stefan Monnier
  0 siblings, 1 reply; 6+ messages in thread
From: Sebastian Christ @ 2017-09-13  5:29 UTC (permalink / raw)
  To: emacs-devel

>>>>> "CP" == Clément Pit-Claudel <cpitclaudel@gmail.com> writes:
    CP> I think this would fit nicely in package.el

    CP> We could have an emacs-upgrade-notifications package on
    CP> ELPA. We'd update it when we release an updated Emacs.  From its
    CP> autoloads, the package would announce the new release.  People
    CP> would only get the notification if they refresh their package
    CP> list, which already involves downloading remote data.

But what about those people (like me) that don't use package.el or ELPA?
I'd really like to have this feature, but I don't want to be forced to
use package.el or ELPA.

Best,
Sebastian


-- 
Sebastian (Rudolfo) Christ
http://rudolfochrist.github.io
GPG Fingerprint: 306D 8FD3 DFB6 4E44 5061
                 CE71 6407 D6F8 2AC5 55DD




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Alerting users to new releases
  2017-09-13  5:29   ` Sebastian Christ
@ 2017-09-13 12:18     ` Stefan Monnier
  0 siblings, 0 replies; 6+ messages in thread
From: Stefan Monnier @ 2017-09-13 12:18 UTC (permalink / raw)
  To: emacs-devel

> But what about those people (like me) that don't use package.el or ELPA?
> I'd really like to have this feature, but I don't want to be forced to
> use package.el or ELPA.

GNU ELPA can be used from package.el or with your browser by downloading
the tarball and doing all the usual manual setup.


        Stefan




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Alerting users to new releases
  2017-09-12 23:35 ` Etienne Prud’homme
@ 2017-09-21 20:05   ` Phillip Lord
  0 siblings, 0 replies; 6+ messages in thread
From: Phillip Lord @ 2017-09-21 20:05 UTC (permalink / raw)
  To: Etienne Prud’homme; +Cc: Emacs Devel, Perry E. Metzger

Etienne Prud’homme <e.e.f.prudhomme@gmail.com> writes:

> "Perry E. Metzger" <perry@piermont.com> writes:
>
>> Would it be reasonable if a feature was added to Emacs to alert the
>> user that a newer version of Emacs existed? Or would the potential
>> privacy issues, even if the check could be turned off, exceed the
>> benefit?
>
> I was actually thinking about the same thing!
>
> We could of course allow an opt-in variable that would allow checking
> for any vulnerability in the current GNU Emacs version installed, but
> most people won’t be aware of it or won’t bother using it.
>
> One way to get around it would be to use the ELPA protocol.  When
> downloading packages, there could be a file describing current
> vulnerabilities and affected versions.  The client will then warn the
> user accordingly and allow displaying a custom message.


There has already been a discussion about a security patches
package. Surely this is the same thing? I mean, you add a "release"
package. New release happens, "release" on ELPA gets updated.

If 26.0 checked for new packages and auto-upgraded "security" and
"release", then we would have everything we need.

Phil



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-09-21 20:05 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-12 21:59 Alerting users to new releases Perry E. Metzger
2017-09-12 23:35 ` Etienne Prud’homme
2017-09-21 20:05   ` Phillip Lord
2017-09-12 23:37 ` Clément Pit-Claudel
2017-09-13  5:29   ` Sebastian Christ
2017-09-13 12:18     ` Stefan Monnier

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).