unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [ANNOUNCE] Emacs 25.3 released
@ 2017-09-11 20:52 Nicolas Petton
  2017-09-12  8:48 ` Andreas Schwab
                   ` (4 more replies)
  0 siblings, 5 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-11 20:52 UTC (permalink / raw)
  To: Emacs Devel

[-- Attachment #1: Type: text/plain, Size: 1938 bytes --]

Hi!

Version 25.3 of the Emacs text editor is now available.

For more information on Emacs, see:
  http://www.gnu.org/software/emacs

You can retrieve the source from your nearest GNU mirror by using one
of the following links:
  http://ftpmirror.gnu.org/emacs/emacs-25.3.tar.xz
  http://ftpmirror.gnu.org/emacs/emacs-25.3.tar.gz

You can get the PGP signatures at
  http://ftp.gnu.org/gnu/emacs/emacs-25.3.tar.xz.sig
  http://ftp.gnu.org/gnu/emacs/emacs-25.3.tar.gz.sig

You can choose a mirror explicitly from the list at:
  http://www.gnu.org/prep/ftp.html

Mirrors may take some time to update; the main GNU ftp server is at:
  http://ftp.gnu.org/gnu/emacs/

This is an emergency release to fix a security vulnerability in Emacs.

Enriched Text mode has its support for decoding 'x-display' disabled.
This feature allows saving 'display' properties as part of text.
Emacs 'display' properties support evaluation of arbitrary Lisp forms
as part of instantiating the property, so decoding 'x-display' is
vulnerable to executing arbitrary malicious Lisp code included in the
text (e.g., sent as part of an email message).

This vulnerability was introduced in Emacs 19.29.  To work around that
in Emacs versions before 25.3, append the following to your ~/.emacs
init file:

  (eval-after-load "enriched"
    '(defun enriched-decode-display-prop (start end &optional param)
       (list start end)))

Gnus no longer supports "richtext" and "enriched" inline MIME objects.
This support was disabled to avoid evaluation of arbitrary Lisp code
contained in email messages and news articles.


Printed copies of the Emacs manual are available for purchase from the
Free Software Foundation's online store at:
  http://shop.fsf.org/product/emacs-manual/

(The version on sale is updated for Emacs 24.2, but it remains a great
reference book for current Emacs, and buying a copy is a great way to
support the work of the FSF.)

Regards,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-11 20:52 [ANNOUNCE] Emacs 25.3 released Nicolas Petton
@ 2017-09-12  8:48 ` Andreas Schwab
  2017-09-12 11:29   ` Nicolas Petton
  2017-09-12 16:05 ` Philippe Vaucher
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 119+ messages in thread
From: Andreas Schwab @ 2017-09-12  8:48 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: Emacs Devel

On Sep 11 2017, Nicolas Petton <nicolas@petton.fr> wrote:

> Version 25.3 of the Emacs text editor is now available.

The release has not been tagged.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12  8:48 ` Andreas Schwab
@ 2017-09-12 11:29   ` Nicolas Petton
  2017-09-12 11:56     ` Andreas Schwab
  0 siblings, 1 reply; 119+ messages in thread
From: Nicolas Petton @ 2017-09-12 11:29 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: Emacs Devel

[-- Attachment #1: Type: text/plain, Size: 205 bytes --]

Andreas Schwab <schwab@suse.de> writes:

> The release has not been tagged.

No, as there's no corresponding git commit yet.  Same for the website,
it needs to be updated (I'll do that now).

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 11:29   ` Nicolas Petton
@ 2017-09-12 11:56     ` Andreas Schwab
  2017-09-12 12:10       ` Rostislav Svoboda
  2017-09-12 12:40       ` Eli Zaretskii
  0 siblings, 2 replies; 119+ messages in thread
From: Andreas Schwab @ 2017-09-12 11:56 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: Emacs Devel

On Sep 12 2017, Nicolas Petton <nicolas@petton.fr> wrote:

> Andreas Schwab <schwab@suse.de> writes:
>
>> The release has not been tagged.
>
> No, as there's no corresponding git commit yet.

Why not?  A release should never be make out of the blue.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 11:56     ` Andreas Schwab
@ 2017-09-12 12:10       ` Rostislav Svoboda
  2017-09-12 12:42         ` Eli Zaretskii
                           ` (5 more replies)
  2017-09-12 12:40       ` Eli Zaretskii
  1 sibling, 6 replies; 119+ messages in thread
From: Rostislav Svoboda @ 2017-09-12 12:10 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: Nicolas Petton, Emacs Devel

>>> The release has not been tagged.
>>
>> No, as there's no corresponding git commit yet.

???
That would mean the Emacs 25.3 is almost open source.
Except the last commit containing [dramatic pause] we don't know what!?!



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 11:56     ` Andreas Schwab
  2017-09-12 12:10       ` Rostislav Svoboda
@ 2017-09-12 12:40       ` Eli Zaretskii
  1 sibling, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 12:40 UTC (permalink / raw)
  To: emacs-devel, Andreas Schwab, Nicolas Petton; +Cc: Emacs Devel

On September 12, 2017 2:56:24 PM GMT+03:00, Andreas Schwab <schwab@suse.de> wrote:
> On Sep 12 2017, Nicolas Petton <nicolas@petton.fr> wrote:
> 
> > Andreas Schwab <schwab@suse.de> writes:
> >
> >> The release has not been tagged.
> >
> > No, as there's no corresponding git commit yet.
> 
> Why not?  A release should never be make out of the blue.
> 
> Andreas.

Because I asked Nicolas to produce the tarball first and leave the rest
for later.  This was no normal release.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 12:10       ` Rostislav Svoboda
@ 2017-09-12 12:42         ` Eli Zaretskii
  2017-09-12 12:44         ` Clément Pit-Claudel
                           ` (4 subsequent siblings)
  5 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 12:42 UTC (permalink / raw)
  To: emacs-devel, Rostislav Svoboda, Andreas Schwab
  Cc: Nicolas Petton, Emacs Devel

On September 12, 2017 3:10:00 PM GMT+03:00, Rostislav Svoboda <rostislav.svoboda@gmail.com> wrote:
> >>> The release has not been tagged.
> >>
> >> No, as there's no corresponding git commit yet.
> 
> ???
> That would mean the Emacs 25.3 is almost open source.
> Except the last commit containing [dramatic pause] we don't know
> what!?!

Please calm down, no catastrophe happened.

Desperate times call for desperate measures.  It was my
judgment call.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 12:10       ` Rostislav Svoboda
  2017-09-12 12:42         ` Eli Zaretskii
@ 2017-09-12 12:44         ` Clément Pit-Claudel
  2017-09-12 12:55         ` Nicolas Petton
                           ` (3 subsequent siblings)
  5 siblings, 0 replies; 119+ messages in thread
From: Clément Pit-Claudel @ 2017-09-12 12:44 UTC (permalink / raw)
  To: Rostislav Svoboda, Andreas Schwab; +Cc: Nicolas Petton, Emacs Devel

On 2017-09-12 14:10, Rostislav Svoboda wrote:
> ???
> That would mean the Emacs 25.3 is almost open source.
> Except the last commit containing [dramatic pause] we don't know what!?!

What are you talking about? The message you're replying to points to a source tarball.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 12:10       ` Rostislav Svoboda
  2017-09-12 12:42         ` Eli Zaretskii
  2017-09-12 12:44         ` Clément Pit-Claudel
@ 2017-09-12 12:55         ` Nicolas Petton
  2017-09-12 13:03           ` Andreas Schwab
  2017-09-12 15:17         ` Eli Zaretskii
                           ` (2 subsequent siblings)
  5 siblings, 1 reply; 119+ messages in thread
From: Nicolas Petton @ 2017-09-12 12:55 UTC (permalink / raw)
  To: Rostislav Svoboda, Andreas Schwab; +Cc: Emacs Devel

[-- Attachment #1: Type: text/plain, Size: 312 bytes --]

Rostislav Svoboda <rostislav.svoboda@gmail.com> writes:

>>>> The release has not been tagged.
>>>
>>> No, as there's no corresponding git commit yet.
>
> ???
> That would mean the Emacs 25.3 is almost open source.

There will be a git commit and a 25.3 tag, no worries.  The tarball was
built in a hurry.

Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 12:55         ` Nicolas Petton
@ 2017-09-12 13:03           ` Andreas Schwab
  2017-09-12 13:29             ` Rostislav Svoboda
  2017-09-12 15:22             ` Eli Zaretskii
  0 siblings, 2 replies; 119+ messages in thread
From: Andreas Schwab @ 2017-09-12 13:03 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: Rostislav Svoboda, Emacs Devel

On Sep 12 2017, Nicolas Petton <nicolas@petton.fr> wrote:

> There will be a git commit and a 25.3 tag, no worries.  The tarball was
> built in a hurry.

There should never be a hurry.  Ever.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 13:03           ` Andreas Schwab
@ 2017-09-12 13:29             ` Rostislav Svoboda
  2017-09-12 15:25               ` Eli Zaretskii
  2017-09-12 18:38               ` Nicolas Petton
  2017-09-12 15:22             ` Eli Zaretskii
  1 sibling, 2 replies; 119+ messages in thread
From: Rostislav Svoboda @ 2017-09-12 13:29 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: Nicolas Petton, Emacs Devel

>>> The release has not been tagged.
>>
>> No, as there's no corresponding git commit yet.

The thing is guys in my daily-job I do this kind of "release and pray"
source code management on a daily basis.
You know - cobol, mainframes, finance industry, dinosaurs...

I get restless pretty quickly when I spot the Cthulhu in the open source world.

> There should never be a hurry.  Ever.

2017-09-12 15:03 GMT+02:00 Andreas Schwab <schwab@suse.de>:
> There should never be a hurry.  Ever.

Thank you Andreas.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 12:10       ` Rostislav Svoboda
                           ` (2 preceding siblings ...)
  2017-09-12 12:55         ` Nicolas Petton
@ 2017-09-12 15:17         ` Eli Zaretskii
  2017-09-12 22:13         ` Richard Stallman
  2017-09-13  1:41         ` Stefan Monnier
  5 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 15:17 UTC (permalink / raw)
  To: Rostislav Svoboda; +Cc: schwab, nicolas, emacs-devel

> From: Rostislav Svoboda <rostislav.svoboda@gmail.com>
> Date: Tue, 12 Sep 2017 14:10:00 +0200
> Cc: Nicolas Petton <nicolas@petton.fr>, Emacs Devel <emacs-devel@gnu.org>
> 
> Except the last commit containing [dramatic pause] we don't know what!?!

You do know, as it was posted:

  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350#54
  http://lists.gnu.org/archive/html/bug-gnu-emacs/2017-09/msg00353.html



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 13:03           ` Andreas Schwab
  2017-09-12 13:29             ` Rostislav Svoboda
@ 2017-09-12 15:22             ` Eli Zaretskii
  2017-09-12 15:47               ` Andreas Schwab
                                 ` (3 more replies)
  1 sibling, 4 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 15:22 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: nicolas, rostislav.svoboda, emacs-devel

> From: Andreas Schwab <schwab@suse.de>
> Date: Tue, 12 Sep 2017 15:03:16 +0200
> Cc: Rostislav Svoboda <rostislav.svoboda@gmail.com>,
> 	Emacs Devel <emacs-devel@gnu.org>
> 
> On Sep 12 2017, Nicolas Petton <nicolas@petton.fr> wrote:
> 
> > There will be a git commit and a 25.3 tag, no worries.  The tarball was
> > built in a hurry.
> 
> There should never be a hurry.  Ever.

There should be no security vulnerabilities, either.  Ever.  But there
was, this time.  So we wanted to put the tarball out the door quickly
and safely, because that's what the community expected.

We should all thank Nicolas who did a splendid job, just a few hours
after I gave him the final patch.  There's no need to pounce on him or
make the (false) presentation of his job as less than perfect.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 13:29             ` Rostislav Svoboda
@ 2017-09-12 15:25               ` Eli Zaretskii
  2017-09-12 15:48                 ` Andreas Schwab
  2017-09-12 16:42                 ` Rostislav Svoboda
  2017-09-12 18:38               ` Nicolas Petton
  1 sibling, 2 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 15:25 UTC (permalink / raw)
  To: Rostislav Svoboda; +Cc: schwab, nicolas, emacs-devel

> From: Rostislav Svoboda <rostislav.svoboda@gmail.com>
> Date: Tue, 12 Sep 2017 15:29:53 +0200
> Cc: Nicolas Petton <nicolas@petton.fr>, Emacs Devel <emacs-devel@gnu.org>
> 
> >>> The release has not been tagged.
> >>
> >> No, as there's no corresponding git commit yet.
> 
> The thing is guys in my daily-job I do this kind of "release and pray"
> source code management on a daily basis.

Maybe _you_ do that, but Nicolas didn't.  He did all his work from a
Git branch, with full source control.

> I get restless pretty quickly when I spot the Cthulhu in the open source world.

Emacs is not open source.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:22             ` Eli Zaretskii
@ 2017-09-12 15:47               ` Andreas Schwab
  2017-09-12 16:37                 ` Eli Zaretskii
  2017-09-13  6:50               ` Andreas Schwab
                                 ` (2 subsequent siblings)
  3 siblings, 1 reply; 119+ messages in thread
From: Andreas Schwab @ 2017-09-12 15:47 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: nicolas, rostislav.svoboda, emacs-devel

On Sep 12 2017, Eli Zaretskii <eliz@gnu.org> wrote:

>> From: Andreas Schwab <schwab@suse.de>
>> Date: Tue, 12 Sep 2017 15:03:16 +0200
>> Cc: Rostislav Svoboda <rostislav.svoboda@gmail.com>,
>> 	Emacs Devel <emacs-devel@gnu.org>
>> 
>> On Sep 12 2017, Nicolas Petton <nicolas@petton.fr> wrote:
>> 
>> > There will be a git commit and a 25.3 tag, no worries.  The tarball was
>> > built in a hurry.
>> 
>> There should never be a hurry.  Ever.
>
> There should be no security vulnerabilities, either.  Ever.  But there
> was, this time.  So we wanted to put the tarball out the door quickly
> and safely, because that's what the community expected.

It was you who removed it from the blocking items?

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:25               ` Eli Zaretskii
@ 2017-09-12 15:48                 ` Andreas Schwab
  2017-09-12 15:55                   ` Paul Eggert
  2017-09-12 16:38                   ` Eli Zaretskii
  2017-09-12 16:42                 ` Rostislav Svoboda
  1 sibling, 2 replies; 119+ messages in thread
From: Andreas Schwab @ 2017-09-12 15:48 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: nicolas, Rostislav Svoboda, emacs-devel

On Sep 12 2017, Eli Zaretskii <eliz@gnu.org> wrote:

>> From: Rostislav Svoboda <rostislav.svoboda@gmail.com>
>> Date: Tue, 12 Sep 2017 15:29:53 +0200
>> Cc: Nicolas Petton <nicolas@petton.fr>, Emacs Devel <emacs-devel@gnu.org>
>> 
>> >>> The release has not been tagged.
>> >>
>> >> No, as there's no corresponding git commit yet.
>> 
>> The thing is guys in my daily-job I do this kind of "release and pray"
>> source code management on a daily basis.
>
> Maybe _you_ do that, but Nicolas didn't.  He did all his work from a
> Git branch, with full source control.

I don't see any branch containing the release.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:48                 ` Andreas Schwab
@ 2017-09-12 15:55                   ` Paul Eggert
  2017-09-12 16:38                     ` Eli Zaretskii
                                       ` (2 more replies)
  2017-09-12 16:38                   ` Eli Zaretskii
  1 sibling, 3 replies; 119+ messages in thread
From: Paul Eggert @ 2017-09-12 15:55 UTC (permalink / raw)
  To: Andreas Schwab, Eli Zaretskii; +Cc: nicolas, Rostislav Svoboda, emacs-devel

On 09/12/2017 08:48 AM, Andreas Schwab wrote:
> I don't see any branch containing the release.

Nor do I. I was thinking of creating an emacs-25.3 branch post facto, 
with a single commit representing the release, and tagged as emacs-25.3. 
However, it'd be better if Nicolas did it, since I presume he already 
has a branch in his private repository. If he doesn't have such a 
branch, I'll volunteer to create emacs-25.3 as described.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-11 20:52 [ANNOUNCE] Emacs 25.3 released Nicolas Petton
  2017-09-12  8:48 ` Andreas Schwab
@ 2017-09-12 16:05 ` Philippe Vaucher
  2017-09-12 16:30   ` Paul Eggert
                     ` (3 more replies)
  2017-09-12 16:06 ` Roland Winkler
                   ` (2 subsequent siblings)
  4 siblings, 4 replies; 119+ messages in thread
From: Philippe Vaucher @ 2017-09-12 16:05 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: Emacs Devel

[-- Attachment #1: Type: text/plain, Size: 571 bytes --]

>
> This vulnerability was introduced in Emacs 19.29.  To work around that
> in Emacs versions before 25.3, append the following to your ~/.emacs
> init file:
>

Does a vulnerability that has been there since that long really deserve
such a rushed release?

I mean, you could have gone through the classic release procedure with
tags/branches etc and maybe delay the release for 2-3 days. Would it really
have changed something in that case?

I don't understand why this particular security issue was treated that
dramatically, but maybe I'm missing something.

Philippe

[-- Attachment #2: Type: text/html, Size: 879 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-11 20:52 [ANNOUNCE] Emacs 25.3 released Nicolas Petton
  2017-09-12  8:48 ` Andreas Schwab
  2017-09-12 16:05 ` Philippe Vaucher
@ 2017-09-12 16:06 ` Roland Winkler
  2017-09-12 16:41   ` Paul Eggert
                     ` (2 more replies)
  2017-09-12 23:45 ` Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released Clément Pit-Claudel
  2017-09-13 18:40 ` Charles A. Roelli
  4 siblings, 3 replies; 119+ messages in thread
From: Roland Winkler @ 2017-09-12 16:06 UTC (permalink / raw)
  To: emacs-devel

On Mon, Sep 11 2017, Nicolas Petton wrote:
> This vulnerability was introduced in Emacs 19.29.  To work around that
> in Emacs versions before 25.3, append the following to your ~/.emacs
> init file:
>
>   (eval-after-load "enriched"
>     '(defun enriched-decode-display-prop (start end &optional param)
>        (list start end)))

Many users may have the problem that they cannot upgrade immediately to
25.3.  Is it fair to say that putting the above lines of code in
~/.emacs fully protects the user from the vulnerability?  If yes, we may
want to advertise these lines of code more broadly.  Or do the above
lines of code provide only an incomplete fix?  Then, what can users do
instead when they still have to use older versions of emacs?




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:05 ` Philippe Vaucher
@ 2017-09-12 16:30   ` Paul Eggert
  2017-09-12 16:52     ` Eli Zaretskii
  2017-09-12 16:40   ` Eli Zaretskii
                     ` (2 subsequent siblings)
  3 siblings, 1 reply; 119+ messages in thread
From: Paul Eggert @ 2017-09-12 16:30 UTC (permalink / raw)
  To: emacs-devel

On 09/12/2017 09:05 AM, Philippe Vaucher wrote:
> Does a vulnerability that has been there since that long really 
> deserve such a rushed release?
>
> I mean, you could have gone through the classic release procedure with 
> tags/branches etc and maybe delay the release for 2-3 days. Would it 
> really have changed something in that case?
>
> I don't understand why this particular security issue was treated that 
> dramatically, but maybe I'm missing something.

The security issue was quite bad. Adding tags and branches is a matter 
of minutes, not days. It hasn't been done yet (which is not a good 
thing), but it should get done reasonably soon.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:47               ` Andreas Schwab
@ 2017-09-12 16:37                 ` Eli Zaretskii
  2017-09-13  6:45                   ` Andreas Schwab
  0 siblings, 1 reply; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 16:37 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: nicolas, rostislav.svoboda, emacs-devel

> From: Andreas Schwab <schwab@suse.de>
> Cc: nicolas@petton.fr,  rostislav.svoboda@gmail.com,  emacs-devel@gnu.org
> Date: Tue, 12 Sep 2017 17:47:14 +0200
> 
> > There should be no security vulnerabilities, either.  Ever.  But there
> > was, this time.  So we wanted to put the tarball out the door quickly
> > and safely, because that's what the community expected.
> 
> It was you who removed it from the blocking items?

For Emacs 26.1, which is not what we are talking about here.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:48                 ` Andreas Schwab
  2017-09-12 15:55                   ` Paul Eggert
@ 2017-09-12 16:38                   ` Eli Zaretskii
  2017-09-12 18:39                     ` Nicolas Petton
  2017-09-13  6:49                     ` Andreas Schwab
  1 sibling, 2 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 16:38 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: nicolas, rostislav.svoboda, emacs-devel

> From: Andreas Schwab <schwab@suse.de>
> Cc: Rostislav Svoboda <rostislav.svoboda@gmail.com>,  nicolas@petton.fr,  emacs-devel@gnu.org
> Date: Tue, 12 Sep 2017 17:48:22 +0200
> 
> > Maybe _you_ do that, but Nicolas didn't.  He did all his work from a
> > Git branch, with full source control.
> 
> I don't see any branch containing the release.

Do you have access to Nicolas's machine?



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:55                   ` Paul Eggert
@ 2017-09-12 16:38                     ` Eli Zaretskii
  2017-09-12 18:26                     ` Nicolas Petton
  2017-09-12 19:09                     ` Nicolas Petton
  2 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 16:38 UTC (permalink / raw)
  To: Paul Eggert; +Cc: schwab, nicolas, rostislav.svoboda, emacs-devel

> Cc: nicolas@petton.fr, Rostislav Svoboda <rostislav.svoboda@gmail.com>,
>  emacs-devel@gnu.org
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Tue, 12 Sep 2017 08:55:34 -0700
> 
> On 09/12/2017 08:48 AM, Andreas Schwab wrote:
> > I don't see any branch containing the release.
> 
> Nor do I. I was thinking of creating an emacs-25.3 branch post facto, 
> with a single commit representing the release, and tagged as emacs-25.3. 

That's what will be done.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:05 ` Philippe Vaucher
  2017-09-12 16:30   ` Paul Eggert
@ 2017-09-12 16:40   ` Eli Zaretskii
  2017-09-14 11:15     ` Philippe Vaucher
  2017-09-12 22:11   ` Timur Aydin
  2017-09-12 22:16   ` Richard Stallman
  3 siblings, 1 reply; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 16:40 UTC (permalink / raw)
  To: Philippe Vaucher; +Cc: nicolas, emacs-devel

> From: Philippe Vaucher <philippe.vaucher@gmail.com>
> Date: Tue, 12 Sep 2017 18:05:29 +0200
> Cc: Emacs Devel <emacs-devel@gnu.org>
> 
>  This vulnerability was introduced in Emacs 19.29. To work around that
>  in Emacs versions before 25.3, append the following to your ~/.emacs
>  init file:
> 
> Does a vulnerability that has been there since that long really deserve such a rushed release?

The same question, more or less, was already asked and answered, in
the positive.  People actually wanted the release even earlier, but we
had to wait for a day until Nicolas could find free time.

> I don't understand why this particular security issue was treated that dramatically, but maybe I'm missing
> something.

That's what everyone wanted.  Just read the lists.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:06 ` Roland Winkler
@ 2017-09-12 16:41   ` Paul Eggert
  2017-09-12 16:54     ` Roland Winkler
  2017-09-12 16:42   ` Eli Zaretskii
  2017-09-12 17:46   ` Phillip Lord
  2 siblings, 1 reply; 119+ messages in thread
From: Paul Eggert @ 2017-09-12 16:41 UTC (permalink / raw)
  To: Roland Winkler; +Cc: emacs-devel

On 09/12/2017 09:06 AM, Roland Winkler wrote:
> Is it fair to say that putting the above lines of code in
> ~/.emacs fully protects the user from the vulnerability?

Yes, if they avoid options like -Q that bypass ~/.emacs.

> If yes, we may
> want to advertise these lines of code more broadly.

What do you suggest? We sent email to info-gnu. It's been publicized on 
Reddit, OpenNET (in Russian), Linux-Magazin (in German), and so forth.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:25               ` Eli Zaretskii
  2017-09-12 15:48                 ` Andreas Schwab
@ 2017-09-12 16:42                 ` Rostislav Svoboda
  2017-09-12 16:54                   ` Eli Zaretskii
  1 sibling, 1 reply; 119+ messages in thread
From: Rostislav Svoboda @ 2017-09-12 16:42 UTC (permalink / raw)
  To: Eli Zaretskii
  Cc: Andreas Schwab, Nicolas Petton, emacs-devel@gnu.org Development

2017-09-12 17:25 GMT+02:00 Eli Zaretskii <eliz@gnu.org>:
> Emacs is not open source.

???



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:06 ` Roland Winkler
  2017-09-12 16:41   ` Paul Eggert
@ 2017-09-12 16:42   ` Eli Zaretskii
  2017-09-12 17:46   ` Phillip Lord
  2 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 16:42 UTC (permalink / raw)
  To: Roland Winkler; +Cc: emacs-devel

> From: Roland Winkler <winkler@gnu.org>
> Date: Tue, 12 Sep 2017 11:06:14 -0500
> 
> >   (eval-after-load "enriched"
> >     '(defun enriched-decode-display-prop (start end &optional param)
> >        (list start end)))
> 
> Many users may have the problem that they cannot upgrade immediately to
> 25.3.  Is it fair to say that putting the above lines of code in
> ~/.emacs fully protects the user from the vulnerability?

Yes, it does.

> If yes, we may want to advertise these lines of code more broadly.

Please feel free to do that.

> Or do the above lines of code provide only an incomplete fix?

It's a complete fix, in the sense that it completely removes the
vulnerability, by disabling processing of 'display' properties in
Enriched text.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:30   ` Paul Eggert
@ 2017-09-12 16:52     ` Eli Zaretskii
  2017-09-12 18:26       ` Thien-Thi Nguyen
  0 siblings, 1 reply; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 16:52 UTC (permalink / raw)
  To: Paul Eggert; +Cc: emacs-devel

> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Tue, 12 Sep 2017 09:30:44 -0700
> 
> Adding tags and branches is a matter of minutes, not days. It hasn't
> been done yet (which is not a good thing), but it should get done
> reasonably soon.

AFAIU, Nicolas is working on this as we speak.

Getting the Git repository in order is much less urgent than putting
the tarball out the door, so I asked Nicolas to do that in this order.
I don't see why this small lag is so important.  Given the nature of
the problem, the priorities were clear, I don't think they can be
controversial.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:42                 ` Rostislav Svoboda
@ 2017-09-12 16:54                   ` Eli Zaretskii
  0 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 16:54 UTC (permalink / raw)
  To: Rostislav Svoboda; +Cc: schwab, nicolas, emacs-devel

> From: Rostislav Svoboda <rostislav.svoboda@gmail.com>
> Date: Tue, 12 Sep 2017 18:42:24 +0200
> Cc: Andreas Schwab <schwab@suse.de>, Nicolas Petton <nicolas@petton.fr>, 
> 	"emacs-devel@gnu.org Development" <emacs-devel@gnu.org>
> 
> 2017-09-12 17:25 GMT+02:00 Eli Zaretskii <eliz@gnu.org>:
> > Emacs is not open source.
> 
> ???

  https://www.gnu.org/philosophy/free-software-for-freedom.en.html



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:41   ` Paul Eggert
@ 2017-09-12 16:54     ` Roland Winkler
  2017-09-12 17:12       ` Eli Zaretskii
  2017-09-13 16:39       ` Richard Stallman
  0 siblings, 2 replies; 119+ messages in thread
From: Roland Winkler @ 2017-09-12 16:54 UTC (permalink / raw)
  To: Paul Eggert; +Cc: emacs-devel

On Tue Sep 12 2017 Paul Eggert wrote:
> On 09/12/2017 09:06 AM, Roland Winkler wrote:
> > Is it fair to say that putting the above lines of code in
> > ~/.emacs fully protects the user from the vulnerability?
> 
> Yes, if they avoid options like -Q that bypass ~/.emacs.
> 
> > If yes, we may
> > want to advertise these lines of code more broadly.
> 
> What do you suggest? We sent email to info-gnu. It's been publicized on 
> Reddit, OpenNET (in Russian), Linux-Magazin (in German), and so forth.

I see, thanks.  I only knew about Nico's post here on emacs-devel.
I do not check the sources you mentioned.

I expect that (soon) http://www.gnu.org/software/emacs/ gets
updated, too.  So far, it only advertises emacs 25.2.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:54     ` Roland Winkler
@ 2017-09-12 17:12       ` Eli Zaretskii
  2017-09-12 17:40         ` Paul Eggert
  2017-09-13 16:39       ` Richard Stallman
  1 sibling, 1 reply; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 17:12 UTC (permalink / raw)
  To: Roland Winkler; +Cc: eggert, emacs-devel

> Date: Tue, 12 Sep 2017 11:54:39 -0500
> From: "Roland Winkler" <winkler@gnu.org>
> Cc: emacs-devel@gnu.org
> 
> I expect that (soon) http://www.gnu.org/software/emacs/ gets
> updated, too.  So far, it only advertises emacs 25.2.

Yes, Nicolas is working on that, too:

  http://lists.gnu.org/archive/html/emacs-devel/2017-09/msg00221.html



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 17:12       ` Eli Zaretskii
@ 2017-09-12 17:40         ` Paul Eggert
  2017-09-12 17:57           ` Eli Zaretskii
  2017-09-12 18:29           ` Nicolas Petton
  0 siblings, 2 replies; 119+ messages in thread
From: Paul Eggert @ 2017-09-12 17:40 UTC (permalink / raw)
  To: Eli Zaretskii, Roland Winkler; +Cc: Nicolas Petton, emacs-devel

On 09/12/2017 10:12 AM, Eli Zaretskii wrote:
>> I expect that (soon)http://www.gnu.org/software/emacs/  gets
>> updated, too.  So far, it only advertises emacs 25.2.
> Yes, Nicolas is working on that, too:

Arghh, I didn't know that. I updated the two web pages talking about 
release numbers (emacs.html and history.html) just before reading this 
email. I'll CC: this to Nicolas.

By the way, what's the procedure for updating the online manual? I could 
not find it written down anywhere. Not a big deal now since the 25.2 
manual is fine, but it would be helpful to know how to do it in the future.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:06 ` Roland Winkler
  2017-09-12 16:41   ` Paul Eggert
  2017-09-12 16:42   ` Eli Zaretskii
@ 2017-09-12 17:46   ` Phillip Lord
  2017-09-13  1:46     ` Stefan Monnier
  2 siblings, 1 reply; 119+ messages in thread
From: Phillip Lord @ 2017-09-12 17:46 UTC (permalink / raw)
  To: Roland Winkler; +Cc: emacs-devel

On Tue, September 12, 2017 4:06 pm, Roland Winkler wrote:
> On Mon, Sep 11 2017, Nicolas Petton wrote:
>
>> This vulnerability was introduced in Emacs 19.29.  To work around that
>> in Emacs versions before 25.3, append the following to your ~/.emacs init
>> file:
>>
>>
>> (eval-after-load "enriched"
>> '(defun enriched-decode-display-prop (start end &optional param)
>> (list start end)))
>>
>
> Many users may have the problem that they cannot upgrade immediately to
> 25.3.  Is it fair to say that putting the above lines of code in
> ~/.emacs fully protects the user from the vulnerability?  If yes, we may
> want to advertise these lines of code more broadly.  Or do the above lines
> of code provide only an incomplete fix?  Then, what can users do instead
> when they still have to use older versions of emacs?



What do we not put a "vulnerability" package onto ELPA, then install this
by default. This way, new emacs releases would provide an automatic
mechanism for fixing vulnerabilities. And, for old emacs, the advice would
be "M-x package-install vulnerability".




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 17:40         ` Paul Eggert
@ 2017-09-12 17:57           ` Eli Zaretskii
  2017-09-12 18:29           ` Nicolas Petton
  1 sibling, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 17:57 UTC (permalink / raw)
  To: Paul Eggert; +Cc: nicolas, winkler, emacs-devel

> Cc: emacs-devel@gnu.org, Nicolas Petton <nicolas@petton.fr>
> From: Paul Eggert <eggert@cs.ucla.edu>
> Date: Tue, 12 Sep 2017 10:40:10 -0700
> 
> On 09/12/2017 10:12 AM, Eli Zaretskii wrote:
> >> I expect that (soon)http://www.gnu.org/software/emacs/  gets
> >> updated, too.  So far, it only advertises emacs 25.2.
> > Yes, Nicolas is working on that, too:
> 
> Arghh, I didn't know that.

He said that just today.

> I updated the two web pages talking about release numbers
> (emacs.html and history.html) just before reading this email. I'll
> CC: this to Nicolas.

I'd appreciate if you'd talked to me first in such cases.  It should
be clear that I have some handle on the situation.  These chaotic,
uncoordinated efforts by several people independently doing what they
think is best are not how we should handle such situations.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:52     ` Eli Zaretskii
@ 2017-09-12 18:26       ` Thien-Thi Nguyen
  2017-09-12 18:49         ` Eli Zaretskii
  2017-09-13 16:39         ` Richard Stallman
  0 siblings, 2 replies; 119+ messages in thread
From: Thien-Thi Nguyen @ 2017-09-12 18:26 UTC (permalink / raw)
  To: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1420 bytes --]


() Eli Zaretskii <eliz@gnu.org>
() Tue, 12 Sep 2017 19:52:26 +0300

   Getting the Git repository in order is much less urgent than
   putting the tarball out the door, so I asked Nicolas to do
   that in this order.  I don't see why this small lag is so
   important.  Given the nature of the problem, the priorities
   were clear, I don't think they can be controversial.

I think the lag is important because it represents "attack
surface" (for FUD) to defend.  Look at all the noise already
precipitated.  A few seconds doing "git {commit, tag, push}"
benefits everyone interested in skipping this noise, greatly.

If those operations are not sufficient to get the repo in order,
then i suggest they be done prior to tarball publication,
anyway, but on a provisional branch.  Afterwards, the proper
"getting the repo in order" operations can work w/ that branch
to merge it back to ‘master’ or whatever.

In sum: IMHO it's fine to deviate from full release protocol if
the deviation maintains transparency.  When transparency is
lost, we need (annoying :-D) ml threads to find it again.

-- 
Thien-Thi Nguyen -----------------------------------------------
 (defun responsep (query)
   (pcase (context query)
     (`(technical ,ml) (correctp ml))
     ...))                              748E A0E8 1CB8 A748 9BFA
--------------------------------------- 6CE4 6703 2224 4C80 7502


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:55                   ` Paul Eggert
  2017-09-12 16:38                     ` Eli Zaretskii
@ 2017-09-12 18:26                     ` Nicolas Petton
  2017-09-12 19:09                     ` Nicolas Petton
  2 siblings, 0 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-12 18:26 UTC (permalink / raw)
  To: Paul Eggert, Andreas Schwab, Eli Zaretskii; +Cc: Rostislav Svoboda, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 412 bytes --]

Paul Eggert <eggert@cs.ucla.edu> writes:

> Nor do I. I was thinking of creating an emacs-25.3 branch post facto, 
> with a single commit representing the release, and tagged as emacs-25.3. 
> However, it'd be better if Nicolas did it, since I presume he already 
> has a branch in his private repository.

I do have the changes in my local repository, I'll make the emacs-25.3
branch.

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 17:40         ` Paul Eggert
  2017-09-12 17:57           ` Eli Zaretskii
@ 2017-09-12 18:29           ` Nicolas Petton
  1 sibling, 0 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-12 18:29 UTC (permalink / raw)
  To: Paul Eggert, Eli Zaretskii, Roland Winkler; +Cc: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 576 bytes --]

Paul Eggert <eggert@cs.ucla.edu> writes:

> Arghh, I didn't know that.

That's fine, thanks for updating it.

> I updated the two web pages talking about 
> release numbers (emacs.html and history.html) just before reading this 
> email. I'll CC: this to Nicolas.
>
> By the way, what's the procedure for updating the online manual? I could 
> not find it written down anywhere. Not a big deal now since the 25.2 
> manual is fine, but it would be helpful to know how to do it in the
> future.

It's documented at the end of make-tarball.txt.

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 13:29             ` Rostislav Svoboda
  2017-09-12 15:25               ` Eli Zaretskii
@ 2017-09-12 18:38               ` Nicolas Petton
  2017-09-12 18:57                 ` Eli Zaretskii
                                   ` (7 more replies)
  1 sibling, 8 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-12 18:38 UTC (permalink / raw)
  To: Rostislav Svoboda, Andreas Schwab; +Cc: eliz, Emacs Devel

[-- Attachment #1: Type: text/plain, Size: 689 bytes --]

Rostislav Svoboda <rostislav.svoboda@gmail.com> writes:

> The thing is guys in my daily-job I do this kind of "release and pray"
> source code management on a daily basis.
> You know - cobol, mainframes, finance industry, dinosaurs...

I had to produce the tarball as quickly as I could, which meant
yesterday evening after work.  We agreed with Eli not to bother with the
website or the Git branch, as it was much less urgent than releasing the
security fix.  However, I do have the changes on my local Git repo, so
there's no need to worry (I'll push them right after sending this email).

To be honest, I'm a bit frustrated with all the negative attitude
regarding this release.

Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:38                   ` Eli Zaretskii
@ 2017-09-12 18:39                     ` Nicolas Petton
  2017-09-13  6:49                     ` Andreas Schwab
  1 sibling, 0 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-12 18:39 UTC (permalink / raw)
  To: Eli Zaretskii, Andreas Schwab; +Cc: rostislav.svoboda, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 159 bytes --]

Eli Zaretskii <eliz@gnu.org> writes:

>> I don't see any branch containing the release.
>
> Do you have access to Nicolas's machine?

I certainly hope not :-D

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:26       ` Thien-Thi Nguyen
@ 2017-09-12 18:49         ` Eli Zaretskii
  2017-09-13 16:39           ` Richard Stallman
  2017-09-13 16:39         ` Richard Stallman
  1 sibling, 1 reply; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 18:49 UTC (permalink / raw)
  To: emacs-devel

> From: Thien-Thi Nguyen <ttn@gnu.org>
> Date: Tue, 12 Sep 2017 20:26:10 +0200
> 
> I think the lag is important because it represents "attack
> surface" (for FUD) to defend.  Look at all the noise already
> precipitated.

Experience shows that noise is unavoidable, no matter what we do or
don't do.  Thus, the fact that there is noise proves or disproves
nothing.

> If those operations are not sufficient to get the repo in order,
> then i suggest they be done prior to tarball publication,
> anyway, but on a provisional branch.  Afterwards, the proper
> "getting the repo in order" operations can work w/ that branch
> to merge it back to ‘master’ or whatever.

Experience taught me that Git is tricky enough to cause even
experience users of Git to make mistakes from time to time.  And in
this case even a slight risk of making a mistake was entirely
unacceptable.  So we've chosen a safer way, with Git issues out of the
critical path.  From my POV, the result was smashing success.

> In sum: IMHO it's fine to deviate from full release protocol if
> the deviation maintains transparency.  When transparency is
> lost, we need (annoying :-D) ml threads to find it again.

The transparency was not lost, because the patch was posted here in
advance.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:38               ` Nicolas Petton
@ 2017-09-12 18:57                 ` Eli Zaretskii
  2017-09-12 19:00                 ` Robert Weiner
                                   ` (6 subsequent siblings)
  7 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-12 18:57 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: schwab, rostislav.svoboda, emacs-devel

> From: Nicolas Petton <nicolas@petton.fr>
> Cc: Emacs Devel <emacs-devel@gnu.org>, eliz@gnu.org
> Date: Tue, 12 Sep 2017 20:38:49 +0200
> 
> To be honest, I'm a bit frustrated with all the negative attitude
> regarding this release.

Me too.  And I appreciate your hard and accurate work very much.
Thanks!



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:38               ` Nicolas Petton
  2017-09-12 18:57                 ` Eli Zaretskii
@ 2017-09-12 19:00                 ` Robert Weiner
  2017-09-12 20:49                 ` martin rudalics
                                   ` (5 subsequent siblings)
  7 siblings, 0 replies; 119+ messages in thread
From: Robert Weiner @ 2017-09-12 19:00 UTC (permalink / raw)
  To: Emacs Devel

[-- Attachment #1: Type: text/plain, Size: 405 bytes --]

On Tue, Sep 12, 2017 at 2:38 PM, Nicolas Petton <nicolas@petton.fr> wrote:

>
> To be honest, I'm a bit frustrated with all the negative attitude
> regarding this release.
>

​Don't worry about it.  Everyone knows you are doing a great job for Emacs
as are the other major contributors.
As Eli said, there will always be noise and questions.  Your legacy will be
in the releases made.

Bob

[-- Attachment #2: Type: text/html, Size: 1285 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:55                   ` Paul Eggert
  2017-09-12 16:38                     ` Eli Zaretskii
  2017-09-12 18:26                     ` Nicolas Petton
@ 2017-09-12 19:09                     ` Nicolas Petton
  2 siblings, 0 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-12 19:09 UTC (permalink / raw)
  To: Paul Eggert, Andreas Schwab, Eli Zaretskii; +Cc: Rostislav Svoboda, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

Paul Eggert <eggert@cs.ucla.edu> writes:

> Nor do I. I was thinking of creating an emacs-25.3 branch post facto, 
> with a single commit representing the release, and tagged as
> emacs-25.3.

I have pushed commit bd299e7 in a new emacs-25.3 branch, as well as a
tag.

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:38               ` Nicolas Petton
  2017-09-12 18:57                 ` Eli Zaretskii
  2017-09-12 19:00                 ` Robert Weiner
@ 2017-09-12 20:49                 ` martin rudalics
  2017-09-12 22:05                 ` Rostislav Svoboda
                                   ` (4 subsequent siblings)
  7 siblings, 0 replies; 119+ messages in thread
From: martin rudalics @ 2017-09-12 20:49 UTC (permalink / raw)
  To: Nicolas Petton, Rostislav Svoboda, Andreas Schwab; +Cc: eliz, Emacs Devel

 > To be honest, I'm a bit frustrated with all the negative attitude
 > regarding this release.

Perfectly done IMHO (I'm afraid this won't relieve your frustration
though).

Many thanks, martin



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:38               ` Nicolas Petton
                                   ` (2 preceding siblings ...)
  2017-09-12 20:49                 ` martin rudalics
@ 2017-09-12 22:05                 ` Rostislav Svoboda
  2017-09-12 23:39                 ` Clément Pit-Claudel
                                   ` (3 subsequent siblings)
  7 siblings, 0 replies; 119+ messages in thread
From: Rostislav Svoboda @ 2017-09-12 22:05 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: Andreas Schwab, Eli Zaretskii, Emacs Devel

> To be honest, I'm a bit frustrated with all the negative attitude
> regarding this release.

Don't worry too much about it Nico.
For our part this might one of the bicycle shedding situations.
I think sometimes we should really be more grateful for your work...



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:05 ` Philippe Vaucher
  2017-09-12 16:30   ` Paul Eggert
  2017-09-12 16:40   ` Eli Zaretskii
@ 2017-09-12 22:11   ` Timur Aydin
  2017-09-12 22:16   ` Richard Stallman
  3 siblings, 0 replies; 119+ messages in thread
From: Timur Aydin @ 2017-09-12 22:11 UTC (permalink / raw)
  To: emacs-devel

On 9/12/2017 7:05 PM, Philippe Vaucher wrote:
> Does a vulnerability that has been there since that long really deserve 
> such a rushed release?

Yes it has been there for a very long time, without having been 
discovered. But now that it is discovered, and people have started to 
talk about it, it represents a substantial attack surface. As a result, 
it became *very* urgent to provide a fix for it.

-- 
Timur



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 12:10       ` Rostislav Svoboda
                           ` (3 preceding siblings ...)
  2017-09-12 15:17         ` Eli Zaretskii
@ 2017-09-12 22:13         ` Richard Stallman
  2017-09-14 14:19           ` Jorge A. Alfaro-Murillo
  2017-09-13  1:41         ` Stefan Monnier
  5 siblings, 1 reply; 119+ messages in thread
From: Richard Stallman @ 2017-09-12 22:13 UTC (permalink / raw)
  To: Rostislav Svoboda; +Cc: schwab, nicolas, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > That would mean the Emacs 25.3 is almost open source.

We do not aim to make our software "open source".
That term stands for a political philosophy that we don't follow.
GNU Emacs is meant to be free (libre, svobodniy) software.

See https://gnu.org/philosophy/open-source-misses-the-point.html
for more explanation of the difference between free software and open
source.  See also https://thebaffler.com/past/the_meme_hustler for
Evgeny Morozov's article on the same point.

Emacs 25.3 needs to be released as free software, and that requires
releasing the source code under a proper license.  Isn't that so
already?  Emacs releases are always source code, not binary.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:05 ` Philippe Vaucher
                     ` (2 preceding siblings ...)
  2017-09-12 22:11   ` Timur Aydin
@ 2017-09-12 22:16   ` Richard Stallman
  3 siblings, 0 replies; 119+ messages in thread
From: Richard Stallman @ 2017-09-12 22:16 UTC (permalink / raw)
  To: Philippe Vaucher; +Cc: nicolas, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Does a vulnerability that has been there since that long really deserve
  > such a rushed release?

Any vulnerability that doesn't involve a mistake by the user
calls for a quick fix.

How long the bug has existed does not change anything.

  > I mean, you could have gone through the classic release procedure with
  > tags/branches etc and maybe delay the release for 2-3 days. Would it really
  > have changed something in that case?

That is not an real reason for delay.

There is nothing sacred about the usual release procedure.
We use it under normal circumstances
because under normal circumstances it's useful:
it helps us avoid errors.

It helps us avoid errors because a normal release includes
lots of changes.

This situation is not like that, so there was no need
for that procedure.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:38               ` Nicolas Petton
                                   ` (3 preceding siblings ...)
  2017-09-12 22:05                 ` Rostislav Svoboda
@ 2017-09-12 23:39                 ` Clément Pit-Claudel
  2017-09-13 16:18                 ` Tino Calancha
                                   ` (2 subsequent siblings)
  7 siblings, 0 replies; 119+ messages in thread
From: Clément Pit-Claudel @ 2017-09-12 23:39 UTC (permalink / raw)
  To: emacs-devel

On 2017-09-12 20:38, Nicolas Petton wrote:
> Rostislav Svoboda <rostislav.svoboda@gmail.com> writes:
> 
>> The thing is guys in my daily-job I do this kind of "release and pray"
>> source code management on a daily basis.
>> You know - cobol, mainframes, finance industry, dinosaurs...
> 
> I had to produce the tarball as quickly as I could, which meant
> yesterday evening after work.  We agreed with Eli not to bother with the
> website or the Git branch, as it was much less urgent than releasing the
> security fix.  However, I do have the changes on my local Git repo, so
> there's no need to worry (I'll push them right after sending this email).
> 
> To be honest, I'm a bit frustrated with all the negative attitude
> regarding this release.
> 
> Nico

I think you did great work.
Thanks for your hard work and your commitment!

Clément.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released
  2017-09-11 20:52 [ANNOUNCE] Emacs 25.3 released Nicolas Petton
                   ` (2 preceding siblings ...)
  2017-09-12 16:06 ` Roland Winkler
@ 2017-09-12 23:45 ` Clément Pit-Claudel
  2017-09-14 10:05   ` Phillip Lord
  2017-09-18  0:03   ` Richard Stallman
  2017-09-13 18:40 ` Charles A. Roelli
  4 siblings, 2 replies; 119+ messages in thread
From: Clément Pit-Claudel @ 2017-09-12 23:45 UTC (permalink / raw)
  To: Nicolas Petton, Emacs Devel

On 2017-09-11 22:52, Nicolas Petton wrote:
> This vulnerability was introduced in Emacs 19.29.  To work around that
> in Emacs versions before 25.3, append the following to your ~/.emacs
> init file: [...]

Crazy though: why don't we hot-patch existing Emacs installations?
Concretely, that would mean including that fix in a widely used ELPA or MELPA package. Then users would get the fix upon the next update.

In the long run, we could have an emacs-security-patches package on ELPA that's installed by default, and we could publish security fixes to that repo.
(We don't currently have this, so we could use another common package instead for this specific issue)

Wouldn't this make it much easier to fix vulnerabilities, without requiring a whole-Emacs update?

Clément.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 12:10       ` Rostislav Svoboda
                           ` (4 preceding siblings ...)
  2017-09-12 22:13         ` Richard Stallman
@ 2017-09-13  1:41         ` Stefan Monnier
  5 siblings, 0 replies; 119+ messages in thread
From: Stefan Monnier @ 2017-09-13  1:41 UTC (permalink / raw)
  To: emacs-devel

> That would mean the Emacs 25.3 is almost open source.

Of course Emacs doesn't care to be open source or not.
It makes every effort to be as Free Software as can be, tho, and 25.3 is
no exception.


        Stefan




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 17:46   ` Phillip Lord
@ 2017-09-13  1:46     ` Stefan Monnier
  2017-09-14 19:49       ` security-patches package (was: [ANNOUNCE] Emacs 25.3 released) Ted Zlatanov
  0 siblings, 1 reply; 119+ messages in thread
From: Stefan Monnier @ 2017-09-13  1:46 UTC (permalink / raw)
  To: emacs-devel

> What do we not put a "vulnerability" package onto ELPA, then install this
> by default. This way, new emacs releases would provide an automatic
> mechanism for fixing vulnerabilities. And, for old Emacs, the advice would
> be "M-x package-install vulnerability".

I wouldn't call it "vulnerability" since it sounds like you're willingly
installing a backdoor.  But having a "security-patches" package might
make sense.


        Stefan




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:37                 ` Eli Zaretskii
@ 2017-09-13  6:45                   ` Andreas Schwab
  0 siblings, 0 replies; 119+ messages in thread
From: Andreas Schwab @ 2017-09-13  6:45 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: nicolas, rostislav.svoboda, emacs-devel

On Sep 12 2017, Eli Zaretskii <eliz@gnu.org> wrote:

>> From: Andreas Schwab <schwab@suse.de>
>> Cc: nicolas@petton.fr,  rostislav.svoboda@gmail.com,  emacs-devel@gnu.org
>> Date: Tue, 12 Sep 2017 17:47:14 +0200
>> 
>> > There should be no security vulnerabilities, either.  Ever.  But there
>> > was, this time.  So we wanted to put the tarball out the door quickly
>> > and safely, because that's what the community expected.
>> 
>> It was you who removed it from the blocking items?
>
> For Emacs 26.1, which is not what we are talking about here.

It's the same thing.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:38                   ` Eli Zaretskii
  2017-09-12 18:39                     ` Nicolas Petton
@ 2017-09-13  6:49                     ` Andreas Schwab
  1 sibling, 0 replies; 119+ messages in thread
From: Andreas Schwab @ 2017-09-13  6:49 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: nicolas, rostislav.svoboda, emacs-devel

On Sep 12 2017, Eli Zaretskii <eliz@gnu.org> wrote:

>> From: Andreas Schwab <schwab@suse.de>
>> Cc: Rostislav Svoboda <rostislav.svoboda@gmail.com>,  nicolas@petton.fr,  emacs-devel@gnu.org
>> Date: Tue, 12 Sep 2017 17:48:22 +0200
>> 
>> > Maybe _you_ do that, but Nicolas didn't.  He did all his work from a
>> > Git branch, with full source control.
>> 
>> I don't see any branch containing the release.
>
> Do you have access to Nicolas's machine?

Neither do you.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:22             ` Eli Zaretskii
  2017-09-12 15:47               ` Andreas Schwab
@ 2017-09-13  6:50               ` Andreas Schwab
  2017-09-13  7:07                 ` Paul Eggert
                                   ` (2 more replies)
  2017-09-13 18:14               ` Nicolas Petton
  2017-09-19 23:36               ` John Wiegley
  3 siblings, 3 replies; 119+ messages in thread
From: Andreas Schwab @ 2017-09-13  6:50 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: nicolas, rostislav.svoboda, emacs-devel

It's all about trust.  And especially in the context of security, trust
is the most important thing.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  6:50               ` Andreas Schwab
@ 2017-09-13  7:07                 ` Paul Eggert
  2017-09-13  7:40                 ` Nicolas Petton
  2017-09-13  8:24                 ` Eli Zaretskii
  2 siblings, 0 replies; 119+ messages in thread
From: Paul Eggert @ 2017-09-13  7:07 UTC (permalink / raw)
  To: Andreas Schwab, Eli Zaretskii; +Cc: nicolas, rostislav.svoboda, emacs-devel

Andreas Schwab wrote:
> It's all about trust.  And especially in the context of security, trust
> is the most important thing.

You're right. Security-minded users need to be suspicious when new software 
releases are made out of the blue. Having an emergency release tagged and 
publicly visible in the repository can help allay these natural suspicions.

We don't have much practice making emergency Emacs releases because we don't 
often make them (which is a good thing!). That being said, the next time it 
happens we should try to have a smoother rollout, and having a properly tagged 
commit should be part of that. This will help avoid this particular confusion 
next time.

Another thing I'd like is a faster rollout. We were publicly notified of the bug 
on September 4 and did not announce a new release containing a small fix until 
over a week later. Although there were reasons for the delay, it would be better 
to get announcements and fixes out faster. I've had multiple offers from others 
to help, and would like to take up at least one of these offers. Of course trust 
is an important concern here as well.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  6:50               ` Andreas Schwab
  2017-09-13  7:07                 ` Paul Eggert
@ 2017-09-13  7:40                 ` Nicolas Petton
  2017-09-13  8:53                   ` Paul Eggert
  2017-09-13 14:34                   ` Eli Zaretskii
  2017-09-13  8:24                 ` Eli Zaretskii
  2 siblings, 2 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-13  7:40 UTC (permalink / raw)
  To: Andreas Schwab, Eli Zaretskii; +Cc: rostislav.svoboda, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 544 bytes --]

Andreas Schwab <schwab@suse.de> writes:

> It's all about trust.  And especially in the context of security, trust
> is the most important thing.

First, if I'm not being trusted with the release tarballs, somebody else
can build them next time.

Second, you can easily diff the emacs-25.3 tarball against emacs-25.2.

Even if I did create a branch and tag before publishing the tarball,
you'd have no guarantee that the tarball actually contains the content
of the git commit.  Diffing is the only way for you to see the actual
changes.

Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  6:50               ` Andreas Schwab
  2017-09-13  7:07                 ` Paul Eggert
  2017-09-13  7:40                 ` Nicolas Petton
@ 2017-09-13  8:24                 ` Eli Zaretskii
  2017-09-13  8:27                   ` Andreas Schwab
  2 siblings, 1 reply; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-13  8:24 UTC (permalink / raw)
  To: emacs-devel, Andreas Schwab; +Cc: nicolas, rostislav.svoboda

On September 13, 2017 9:50:56 AM GMT+03:00, Andreas Schwab <schwab@suse.de> wrote:
> It's all about trust.  And especially in the context of security,
> trust
> is the most important thing.
> 
> Andreas.

The trust was never harmed, since the actual patch was posted
here, in advance.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  8:24                 ` Eli Zaretskii
@ 2017-09-13  8:27                   ` Andreas Schwab
  2017-09-13  8:42                     ` Eli Zaretskii
  0 siblings, 1 reply; 119+ messages in thread
From: Andreas Schwab @ 2017-09-13  8:27 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: nicolas, rostislav.svoboda, emacs-devel

On Sep 13 2017, Eli Zaretskii <eliz@gnu.org> wrote:

> The trust was never harmed, since the actual patch was posted
> here, in advance.

Everyone has to do his own assessment about trust.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  8:27                   ` Andreas Schwab
@ 2017-09-13  8:42                     ` Eli Zaretskii
  2017-09-13  8:48                       ` Andreas Schwab
  2017-09-13 15:12                       ` Mike Gerwitz
  0 siblings, 2 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-13  8:42 UTC (permalink / raw)
  To: emacs-devel, Andreas Schwab; +Cc: nicolas, rostislav.svoboda

On September 13, 2017 11:27:51 AM GMT+03:00, Andreas Schwab <schwab@suse.de> wrote:
> On Sep 13 2017, Eli Zaretskii <eliz@gnu.org> wrote:
> 
> > The trust was never harmed, since the actual patch was posted
> > here, in advance.
> 
> Everyone has to do his own assessment about trust.
> 
> Andreas.

The full source is in the tarball, and the change was posted in advance.
How can a Git branch increase the trust is beyond me.

This certainly smells of NIH etc.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  8:42                     ` Eli Zaretskii
@ 2017-09-13  8:48                       ` Andreas Schwab
  2017-09-13 14:36                         ` Eli Zaretskii
  2017-09-13 15:12                       ` Mike Gerwitz
  1 sibling, 1 reply; 119+ messages in thread
From: Andreas Schwab @ 2017-09-13  8:48 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: nicolas, rostislav.svoboda, emacs-devel

On Sep 13 2017, Eli Zaretskii <eliz@gnu.org> wrote:

> The full source is in the tarball, and the change was posted in advance.
> How can a Git branch increase the trust is beyond me.
>
> This certainly smells of NIH etc.

It's about ignoring best practices.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  7:40                 ` Nicolas Petton
@ 2017-09-13  8:53                   ` Paul Eggert
  2017-09-13  8:57                     ` Rostislav Svoboda
  2017-09-13 14:34                   ` Eli Zaretskii
  1 sibling, 1 reply; 119+ messages in thread
From: Paul Eggert @ 2017-09-13  8:53 UTC (permalink / raw)
  To: Nicolas Petton, Andreas Schwab, Eli Zaretskii
  Cc: rostislav.svoboda, emacs-devel

Nicolas Petton wrote:
> First, if I'm not being trusted with the release tarballs, somebody else
> can build them next time.
> 
> Second, you can easily diff the emacs-25.3 tarball against emacs-25.2.
> 
> Even if I did create a branch and tag before publishing the tarball,
> you'd have no guarantee that the tarball actually contains the content
> of the git commit.  Diffing is the only way for you to see the actual
> changes.

All quite true. Still, trust is typically established by multiple means. Many 
users won't have time to track down where the diff was published or to read the 
diff, or they won't have the technical ability to understand the diff's 
implications. And many users won't know who you are. But if these users trust 
savannah.gnu.org, a tagged commit there can be enough for them so that they 
don't have to do the other stuff. (And there may be some very cautious users who 
want to do all of the above....)

So it is helpful to have a tagged commit at the time of release, even though a 
tag by itself is not enough to satisfy the most-cautious, and even though many 
users don't care about the tag.

Some background here. I've managed releases for the public-domain time zone 
database (tzdb) for several years. Some of my correspondents there are *quite* 
cautious, way more cautious than anything mentioned in this thread. They have 
asked for multiple ways to verify that each release is what it purports to be, 
beyond what I thought was needed. But they're *users*. They know their needs 
better than I do. And if they say they want SHA-512 checksums in addition to GPG 
checksums, who am I to tell them that they're redundant? I want them to trust 
the tzdb distribution, so I try to accommodate their concerns, not to argue with 
them.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  8:53                   ` Paul Eggert
@ 2017-09-13  8:57                     ` Rostislav Svoboda
  2017-09-13 14:51                       ` Eli Zaretskii
  0 siblings, 1 reply; 119+ messages in thread
From: Rostislav Svoboda @ 2017-09-13  8:57 UTC (permalink / raw)
  To: Paul Eggert
  Cc: Andreas Schwab, Nicolas Petton, Eli Zaretskii,
	emacs-devel@gnu.org Development

I have a habit of building my emacs from the (git repo) source under GNU Linux.
Since I do it often (= everything is already installed & configured)
it's a simple:
    make; sudo make install
When looking at nt/README*, nt/INSTALL* I see it's a 1512 lines long story.
Could we make it shorter please?

@Nico: I guess you're most experienced one here - are these file up-to-date?

Thanx



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  7:40                 ` Nicolas Petton
  2017-09-13  8:53                   ` Paul Eggert
@ 2017-09-13 14:34                   ` Eli Zaretskii
  1 sibling, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-13 14:34 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: schwab, rostislav.svoboda, emacs-devel

> From: Nicolas Petton <nicolas@petton.fr>
> Cc: rostislav.svoboda@gmail.com, emacs-devel@gnu.org
> Date: Wed, 13 Sep 2017 09:40:23 +0200
> 
> > It's all about trust.  And especially in the context of security, trust
> > is the most important thing.
> 
> First, if I'm not being trusted with the release tarballs, somebody else
> can build them next time.

I trust you, Nicolas.

An important aspect of free software that people tend to forget is
that whoever does the job gets to choose the tools, and as long as the
end result is good (and in this case it is more than that), that's
their prerogative.  Letting someone do important job, let alone
service to the community, and then criticizing them for the tools
they've chosen, is at least unfair.

Nicolas volunteered for the job when no one else would.  Let's be
grateful, and let's see the 99% full part of the glass.  If we don't
support our volunteers, we have no future.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  8:48                       ` Andreas Schwab
@ 2017-09-13 14:36                         ` Eli Zaretskii
  0 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-13 14:36 UTC (permalink / raw)
  To: Andreas Schwab; +Cc: nicolas, rostislav.svoboda, emacs-devel

> From: Andreas Schwab <schwab@suse.de>
> Cc: emacs-devel@gnu.org,  nicolas@petton.fr, rostislav.svoboda@gmail.com
> Date: Wed, 13 Sep 2017 10:48:49 +0200
> 
> On Sep 13 2017, Eli Zaretskii <eliz@gnu.org> wrote:
> 
> > The full source is in the tarball, and the change was posted in advance.
> > How can a Git branch increase the trust is beyond me.
> >
> > This certainly smells of NIH etc.
> 
> It's about ignoring best practices.

They were not ignored.  And we don't have "best practices" for such a
contingency, at least not yet.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  8:57                     ` Rostislav Svoboda
@ 2017-09-13 14:51                       ` Eli Zaretskii
  0 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-13 14:51 UTC (permalink / raw)
  To: Rostislav Svoboda; +Cc: emacs-devel

> From: Rostislav Svoboda <rostislav.svoboda@gmail.com>
> Date: Wed, 13 Sep 2017 10:57:09 +0200
> Cc: Nicolas Petton <nicolas@petton.fr>, Andreas Schwab <schwab@suse.de>, Eli Zaretskii <eliz@gnu.org>, 
> 	"emacs-devel@gnu.org Development" <emacs-devel@gnu.org>
> 
> When looking at nt/README*, nt/INSTALL* I see it's a 1512 lines long story.
> Could we make it shorter please?

(You do realize that nt/INSTALL is for building Emacs on MS-Windows,
yes?)

nt/INSTALL begins with a 27-line short description of the build
procedure.  All the rest explains how to set up the development
environment, where to find optional support libraries, etc. --
something that on Windows is not always trivial.  If you already have
figured out how to set up your build environment, you don't need to
read anything past those first 27 lines.

IOW, the rest of the 1500 lines have nothing to do with the build per
se.

> @Nico: I guess you're most experienced one here - are these file up-to-date?

They are.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13  8:42                     ` Eli Zaretskii
  2017-09-13  8:48                       ` Andreas Schwab
@ 2017-09-13 15:12                       ` Mike Gerwitz
  2017-09-13 15:57                         ` Eli Zaretskii
  1 sibling, 1 reply; 119+ messages in thread
From: Mike Gerwitz @ 2017-09-13 15:12 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Andreas Schwab, nicolas, rostislav.svoboda, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 931 bytes --]

On Wed, Sep 13, 2017 at 11:42:05 +0300, Eli Zaretskii wrote:
> The full source is in the tarball, and the change was posted in advance.
> How can a Git branch increase the trust is beyond me.
>
> This certainly smells of NIH etc.

Also, the tarball was uploaded to ftp.gnu.org, and signed.  Uploading to
ftp.gnu.org itself requires the request to be signed with a GPG key
registered on Savannah.[0]  This level of security is greater and more
formal than repository commits/tags.

If someone's system were compromised to the point of being able to
successfully upload to ftp.gnu.org, chances are that they'll be able to
forge a commit to the repository as well.

[0]: https://www.gnu.org/prep/maintain/maintain.html#Distribution-on-ftp_002egnu_002eorg

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13 15:12                       ` Mike Gerwitz
@ 2017-09-13 15:57                         ` Eli Zaretskii
  0 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-13 15:57 UTC (permalink / raw)
  To: Mike Gerwitz; +Cc: schwab, nicolas, rostislav.svoboda, emacs-devel

> From: Mike Gerwitz <mtg@gnu.org>
> Cc: emacs-devel@gnu.org, Andreas Schwab <schwab@suse.de>,  nicolas@petton.fr,  rostislav.svoboda@gmail.com
> Date: Wed, 13 Sep 2017 11:12:49 -0400
> 
> Also, the tarball was uploaded to ftp.gnu.org, and signed.  Uploading to
> ftp.gnu.org itself requires the request to be signed with a GPG key
> registered on Savannah.[0]  This level of security is greater and more
> formal than repository commits/tags.

Indeed.

> If someone's system were compromised to the point of being able to
> successfully upload to ftp.gnu.org, chances are that they'll be able to
> forge a commit to the repository as well.

Before the announcement went out, the tarball was downloaded from
ftp.gnu.org to 3 different machines by 2 different people, built on
all 3 machines independently, and the build verified to not have the
vulnerability which Emacs 25.3 was supposed to fix.  I think this made
the possibility of tampering negligibly small, if not strictly zero.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:38               ` Nicolas Petton
                                   ` (4 preceding siblings ...)
  2017-09-12 23:39                 ` Clément Pit-Claudel
@ 2017-09-13 16:18                 ` Tino Calancha
  2017-09-13 16:39                 ` Richard Stallman
  2017-09-20 22:32                 ` Tim Cross
  7 siblings, 0 replies; 119+ messages in thread
From: Tino Calancha @ 2017-09-13 16:18 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: Emacs Devel



On Tue, 12 Sep 2017, Nicolas Petton wrote:

> To be honest, I'm a bit frustrated with all the negative attitude
> regarding this release.
>
> Nico
Excellent job, very appreciated from my location.
Thank you very much!
Tino



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:54     ` Roland Winkler
  2017-09-12 17:12       ` Eli Zaretskii
@ 2017-09-13 16:39       ` Richard Stallman
  2017-09-13 19:36         ` Ulrich Mueller
  1 sibling, 1 reply; 119+ messages in thread
From: Richard Stallman @ 2017-09-13 16:39 UTC (permalink / raw)
  To: Roland Winkler; +Cc: eggert, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Perhaps we should rename the Emacs 25.2 tarball and all the other old
tarballs, adding a suffix saying do not use.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:26       ` Thien-Thi Nguyen
  2017-09-12 18:49         ` Eli Zaretskii
@ 2017-09-13 16:39         ` Richard Stallman
  2017-09-14  6:51           ` Thien-Thi Nguyen
  1 sibling, 1 reply; 119+ messages in thread
From: Richard Stallman @ 2017-09-13 16:39 UTC (permalink / raw)
  To: emacs-devel; +Cc: emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > I think the lag is important because it represents "attack
  > surface" (for FUD) to defend.

Let's not overstate the importance of a few confused messages.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:38               ` Nicolas Petton
                                   ` (5 preceding siblings ...)
  2017-09-13 16:18                 ` Tino Calancha
@ 2017-09-13 16:39                 ` Richard Stallman
  2017-09-20 22:32                 ` Tim Cross
  7 siblings, 0 replies; 119+ messages in thread
From: Richard Stallman @ 2017-09-13 16:39 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: schwab, eliz, rostislav.svoboda, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > To be honest, I'm a bit frustrated with all the negative attitude
  > regarding this release.

The people who understand the issue appreciate that what you did was
fine.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:49         ` Eli Zaretskii
@ 2017-09-13 16:39           ` Richard Stallman
  0 siblings, 0 replies; 119+ messages in thread
From: Richard Stallman @ 2017-09-13 16:39 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > I think the lag is important because it represents "attack
  > > surface" (for FUD) to defend.  Look at all the noise already
  > > precipitated.

  > Experience shows that noise is unavoidable, no matter what we do or
  > don't do.  Thus, the fact that there is noise proves or disproves
  > nothing.

That is my experience too.  We shouldn't worry ourselves about
opportunities for FUD, because they are always plentiful.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:22             ` Eli Zaretskii
  2017-09-12 15:47               ` Andreas Schwab
  2017-09-13  6:50               ` Andreas Schwab
@ 2017-09-13 18:14               ` Nicolas Petton
  2017-09-19 23:36               ` John Wiegley
  3 siblings, 0 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-13 18:14 UTC (permalink / raw)
  To: Eli Zaretskii, Andreas Schwab; +Cc: rostislav.svoboda, rms, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 519 bytes --]

Eli Zaretskii <eliz@gnu.org> writes:

> There should be no security vulnerabilities, either.  Ever.  But there
> was, this time.  So we wanted to put the tarball out the door quickly
> and safely, because that's what the community expected.
>
> We should all thank Nicolas who did a splendid job, just a few hours
> after I gave him the final patch.  There's no need to pounce on him or
> make the (false) presentation of his job as less than perfect.

Thank you Eli (and the others as well) for your kind words.

Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-11 20:52 [ANNOUNCE] Emacs 25.3 released Nicolas Petton
                   ` (3 preceding siblings ...)
  2017-09-12 23:45 ` Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released Clément Pit-Claudel
@ 2017-09-13 18:40 ` Charles A. Roelli
  4 siblings, 0 replies; 119+ messages in thread
From: Charles A. Roelli @ 2017-09-13 18:40 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: emacs-devel

> From: Nicolas Petton <nicolas@petton.fr>
> Date: Mon, 11 Sep 2017 22:52:00 +0200
> 
> Hi!
> 
> Version 25.3 of the Emacs text editor is now available.

Cheers, and thanks for getting this release out the door so
responsively.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13 16:39       ` Richard Stallman
@ 2017-09-13 19:36         ` Ulrich Mueller
  2017-09-14  1:42           ` Richard Stallman
  0 siblings, 1 reply; 119+ messages in thread
From: Ulrich Mueller @ 2017-09-13 19:36 UTC (permalink / raw)
  To: rms; +Cc: eggert, Roland Winkler, emacs-devel

>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:

> Perhaps we should rename the Emacs 25.2 tarball and all the other
> old tarballs, adding a suffix saying do not use.

Please don't. That would break the download for distros who rely on
pristine upstream sources and apply separate patches. For example,
Gentoo still has packages app-editors/emacs-23.4-r16 and
app-editors/emacs-24.5-r4 (of course, both *with* the fix for
enriched-mode).

Ulrich



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13 19:36         ` Ulrich Mueller
@ 2017-09-14  1:42           ` Richard Stallman
  2017-09-14  6:37             ` Ulrich Mueller
  0 siblings, 1 reply; 119+ messages in thread
From: Richard Stallman @ 2017-09-14  1:42 UTC (permalink / raw)
  To: Ulrich Mueller; +Cc: eggert, winkler, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Please don't. That would break the download for distros who rely on
  > pristine upstream sources and apply separate patches. For example,
  > Gentoo still has packages app-editors/emacs-23.4-r16 and
  > app-editors/emacs-24.5-r4 (of course, both *with* the fix for
  > enriched-mode).

So how do we inform people not to download the broken versions?

If Gentoo will have a patch to fix that version,
can't the same patch put in the new file name of that version?

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-14  1:42           ` Richard Stallman
@ 2017-09-14  6:37             ` Ulrich Mueller
  2017-09-14 13:24               ` Etienne Prud’homme
  2017-09-14 20:52               ` [ANNOUNCE] " Richard Stallman
  0 siblings, 2 replies; 119+ messages in thread
From: Ulrich Mueller @ 2017-09-14  6:37 UTC (permalink / raw)
  To: rms; +Cc: eggert, winkler, emacs-devel

>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:

>> Please don't. That would break the download for distros who rely on
>> pristine upstream sources and apply separate patches. For example,
>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>> enriched-mode).

> So how do we inform people not to download the broken versions?

Bugs (security or other) happen all the time, so most old versions
will be broken in some way. In spite of that, I am not aware of any
project that is renaming its old tarballs.

It is also not the first time there is a security bug in GNU Emacs
(although it's been a while since the last one). A quick search shows
CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
tramp.el. No renaming of tarballs took place, neither for that issue
(which affected Emacs 24.3) nor for any previous ones.

I would also assume that users will generally download only the latest
version of any given software, and that they are aware that old
versions can contain bugs.

> If Gentoo will have a patch to fix that version,
> can't the same patch put in the new file name of that version?

Sure, we could update the filename in our ebuild. Which would mean
more work though. We have some 19000 packages in the distro, and
there's other work to do than monitoring if upstream tarballs have
been renamed.

Ulrich



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-13 16:39         ` Richard Stallman
@ 2017-09-14  6:51           ` Thien-Thi Nguyen
  2017-09-15  8:01             ` Eli Zaretskii
  0 siblings, 1 reply; 119+ messages in thread
From: Thien-Thi Nguyen @ 2017-09-14  6:51 UTC (permalink / raw)
  To: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1024 bytes --]


() Richard Stallman <rms@gnu.org>
() Wed, 13 Sep 2017 12:39:49 -0400

     > I think the lag is important because it represents
     > "attack surface" (for FUD) to defend.

   Let's not overstate the importance of a few confused
   messages.

The confusion for people who understand is zero.  For those who
do not understand, it is variable and likewise its import (i.e.,
the import cannot be overstated for those people).

The primary reason to maximize process transparency is to reduce
potential misunderstanding.  Sorry, i was not clear about that
(instead i focused on the secondary point -- the effort involved
to handle one particular source of potential misunderstanding).

Anyway, i'm glad to see the lag was small.  Cool.

-- 
Thien-Thi Nguyen -----------------------------------------------
 (defun responsep (query)
   (pcase (context query)
     (`(technical ,ml) (correctp ml))
     ...))                              748E A0E8 1CB8 A748 9BFA
--------------------------------------- 6CE4 6703 2224 4C80 7502

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 23:45 ` Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released Clément Pit-Claudel
@ 2017-09-14 10:05   ` Phillip Lord
  2017-09-18  0:03   ` Richard Stallman
  1 sibling, 0 replies; 119+ messages in thread
From: Phillip Lord @ 2017-09-14 10:05 UTC (permalink / raw)
  To: Clément Pit-Claudel; +Cc: Nicolas Petton, Emacs Devel

Clément Pit-Claudel <cpitclaudel@gmail.com> writes:

> On 2017-09-11 22:52, Nicolas Petton wrote:
>> This vulnerability was introduced in Emacs 19.29.  To work around that
>> in Emacs versions before 25.3, append the following to your ~/.emacs
>> init file: [...]
>
> Crazy though: why don't we hot-patch existing Emacs installations?
> Concretely, that would mean including that fix in a widely used ELPA
> or MELPA package. Then users would get the fix upon the next update.
>
> In the long run, we could have an emacs-security-patches package on
> ELPA that's installed by default, and we could publish security fixes
> to that repo.
> (We don't currently have this, so we could use another common package
> instead for this specific issue)
>
> Wouldn't this make it much easier to fix vulnerabilities, without
> requiring a whole-Emacs update?


Putting fixes in another package doesn't make sense. Adding a
security-hotfix package to ELPA is simple and easy to do. For future
Emacs, it would be possible to do things like auto-install that package.

Phil



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 16:40   ` Eli Zaretskii
@ 2017-09-14 11:15     ` Philippe Vaucher
  0 siblings, 0 replies; 119+ messages in thread
From: Philippe Vaucher @ 2017-09-14 11:15 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Nicolas Petton, Emacs developers

[-- Attachment #1: Type: text/plain, Size: 572 bytes --]

>
> > Does a vulnerability that has been there since that long really deserve
> such a rushed release?
>
> The same question, more or less, was already asked and answered, in
> the positive.  People actually wanted the release even earlier, but we
> had to wait for a day until Nicolas could find free time.
>
> > I don't understand why this particular security issue was treated that
> dramatically, but maybe I'm missing
> > something.
>
> That's what everyone wanted.  Just read the lists.
>

Sorry that I missed it. I'll read the other threads then, thanks.

Philippe

[-- Attachment #2: Type: text/html, Size: 900 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: Emacs 25.3 released
  2017-09-14  6:37             ` Ulrich Mueller
@ 2017-09-14 13:24               ` Etienne Prud’homme
  2017-09-14 15:01                 ` Nicolas Petton
  2017-09-14 20:52               ` [ANNOUNCE] " Richard Stallman
  1 sibling, 1 reply; 119+ messages in thread
From: Etienne Prud’homme @ 2017-09-14 13:24 UTC (permalink / raw)
  To: Ulrich Mueller; +Cc: eggert, emacs-devel, rms, winkler

Ulrich Mueller <ulm@gentoo.org> writes:

>>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:
>
>>> Please don't. That would break the download for distros who rely on
>>> pristine upstream sources and apply separate patches. For example,
>>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>>> enriched-mode).
>
>> So how do we inform people not to download the broken versions?
>
> Bugs (security or other) happen all the time, so most old versions
> will be broken in some way. In spite of that, I am not aware of any
> project that is renaming its old tarballs.
>
> It is also not the first time there is a security bug in GNU Emacs
> (although it's been a while since the last one). A quick search shows
> CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
> of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
> tramp.el. No renaming of tarballs took place, neither for that issue
> (which affected Emacs 24.3) nor for any previous ones.
>
> I would also assume that users will generally download only the latest
> version of any given software, and that they are aware that old
> versions can contain bugs.
>
>> If Gentoo will have a patch to fix that version,
>> can't the same patch put in the new file name of that version?
>
> Sure, we could update the filename in our ebuild. Which would mean
> more work though. We have some 19000 packages in the distro, and
> there's other work to do than monitoring if upstream tarballs have
> been renamed.
>
> Ulrich

Was there any fix for older version than 24?

Maybe we could patch older versions too.  I think it might be helpful to
setup a critical update mechanism.  By that I mean patching every
versions affected automatically with the semantic version system
(increment by 0.0.1 for bug fixes).  By the way, are tarballs
automatically generated?  If not, would it be hard to implement?

ps: I’m grateful for petton’s work and not trying to minimize what he
did.

--
Etienne



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 22:13         ` Richard Stallman
@ 2017-09-14 14:19           ` Jorge A. Alfaro-Murillo
  2017-09-14 20:50             ` Richard Stallman
  0 siblings, 1 reply; 119+ messages in thread
From: Jorge A. Alfaro-Murillo @ 2017-09-14 14:19 UTC (permalink / raw)
  To: emacs-devel

Richard Stallman writes:

> See also https://thebaffler.com/past/the_meme_hustler for
> Evgeny Morozov's article on the same point.

It seems like that link doesn't work anymore. This one works, though:

https://thebaffler.com/salvos/the-meme-hustler

Best,
-- 
Jorge.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: Emacs 25.3 released
  2017-09-14 13:24               ` Etienne Prud’homme
@ 2017-09-14 15:01                 ` Nicolas Petton
  0 siblings, 0 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-14 15:01 UTC (permalink / raw)
  To: Etienne Prud’homme, Ulrich Mueller
  Cc: eggert, winkler, rms, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 386 bytes --]

Etienne Prud’homme <e.e.f.prudhomme@gmail.com> writes:

> By the way, are tarballs
> automatically generated?  If not, would it be hard to implement?

They are not automatically built.  Unfortunately, there is manual work
(usually fixes in the ChangeLog files, updating etc/AUTHORS which often
involves updating admin/authors.el) to be done for each tarball.

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* security-patches package (was: [ANNOUNCE] Emacs 25.3 released)
  2017-09-13  1:46     ` Stefan Monnier
@ 2017-09-14 19:49       ` Ted Zlatanov
  2017-09-15 12:32         ` security-patches package Stefan Monnier
  0 siblings, 1 reply; 119+ messages in thread
From: Ted Zlatanov @ 2017-09-14 19:49 UTC (permalink / raw)
  To: emacs-devel

On Tue, 12 Sep 2017 21:46:38 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 

SM> having a "security-patches" package might make sense.

I would love to see that as well, especially if it was well tested in a
CI system against various versions of Emacs.

What needs to happen so the experience is seamless?

Ted




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-14 14:19           ` Jorge A. Alfaro-Murillo
@ 2017-09-14 20:50             ` Richard Stallman
  0 siblings, 0 replies; 119+ messages in thread
From: Richard Stallman @ 2017-09-14 20:50 UTC (permalink / raw)
  To: Jorge A. Alfaro-Murillo; +Cc: emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Thanks.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-14  6:37             ` Ulrich Mueller
  2017-09-14 13:24               ` Etienne Prud’homme
@ 2017-09-14 20:52               ` Richard Stallman
  1 sibling, 0 replies; 119+ messages in thread
From: Richard Stallman @ 2017-09-14 20:52 UTC (permalink / raw)
  To: Ulrich Mueller; +Cc: eggert, winkler, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

You've convinced me guess it is ok not to rename the old tar files.
Thanks.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-14  6:51           ` Thien-Thi Nguyen
@ 2017-09-15  8:01             ` Eli Zaretskii
  0 siblings, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-15  8:01 UTC (permalink / raw)
  To: emacs-devel

> From: Thien-Thi Nguyen <ttn@gnu.org>
> Date: Thu, 14 Sep 2017 08:51:40 +0200
> 
> The primary reason to maximize process transparency is to reduce
> potential misunderstanding.

That's the advantage, yes.  The (not insignificant) disadvantage is
that every revealed detail of the process tends to trigger a
non-trivial amount of discussions, objections, counter-proposals, etc.
When there's no urgency, this disadvantage is negligible, and should
be generally disregarded.  But when the action should be urgent, the
optimal balance between transparency and just getting the job done
shifts.  I think in this case the balance was about right.

Ultimately, in such extremal situations, the community should trust
those who do the job.  If they are not trusted, they shouldn't be
asked to do the job in the first place.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: security-patches package
  2017-09-14 19:49       ` security-patches package (was: [ANNOUNCE] Emacs 25.3 released) Ted Zlatanov
@ 2017-09-15 12:32         ` Stefan Monnier
  2017-09-16 15:50           ` Ted Zlatanov
  0 siblings, 1 reply; 119+ messages in thread
From: Stefan Monnier @ 2017-09-15 12:32 UTC (permalink / raw)
  To: emacs-devel

SM> having a "security-patches" package might make sense.
> I would love to see that as well, especially if it was well tested in a
> CI system against various versions of Emacs.
> What needs to happen so the experience is seamless?

Step one is to create this package in elpa.git, putting the fix for the
enriched.el bug.


        Stefan




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: security-patches package
  2017-09-15 12:32         ` security-patches package Stefan Monnier
@ 2017-09-16 15:50           ` Ted Zlatanov
  2017-09-21 20:01             ` Phillip Lord
  0 siblings, 1 reply; 119+ messages in thread
From: Ted Zlatanov @ 2017-09-16 15:50 UTC (permalink / raw)
  To: emacs-devel

On Fri, 15 Sep 2017 08:32:16 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 

SM> having a "security-patches" package might make sense.
>> I would love to see that as well, especially if it was well tested in a
>> CI system against various versions of Emacs.
>> What needs to happen so the experience is seamless?

SM> Step one is to create this package in elpa.git, putting the fix for the
SM> enriched.el bug.

A package is pretty easy but I have a few questions before putting that
out:

* how do we prevent accidental or malicious commits to this package?
  Could it maybe live in a special "GNU ELPA security updates" archive
  separate from elpa.git?

* should it be signed+released in a special way? How do we test it?

* what version of Emacs will begin to check for this package?

* Can we do push notifications somehow or are we limited to polling?

* should there be a special mailing list for internal discussions?

* how do we make the experience seamless (on startup, during a
  long-running session, unattended, for a whole site)?

In a related vein, I mentioned a while ago that it would be really nice
to see the changes (from what's installed) to all the code in a package
before upgrading it. I think for security updates that would be
especially useful.

Thanks
Ted




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 23:45 ` Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released Clément Pit-Claudel
  2017-09-14 10:05   ` Phillip Lord
@ 2017-09-18  0:03   ` Richard Stallman
  2017-09-18  7:48     ` Nicolas Petton
  1 sibling, 1 reply; 119+ messages in thread
From: Richard Stallman @ 2017-09-18  0:03 UTC (permalink / raw)
  To: Clément Pit-Claudel; +Cc: nicolas, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Crazy though: why don't we hot-patch existing Emacs installations?
  > Concretely, that would mean including that fix in a widely used ELPA or MELPA package. Then users would get the fix upon the next update.

This verges on a universal back door, aka "auto-upgrade"
which is a form of malware normally found in proprietary software.

We must not do that.  No matter what the disease, this "cure" is worse.

See https://gnu.org/malware/proprietary-back-doors.html .
-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released
  2017-09-18  0:03   ` Richard Stallman
@ 2017-09-18  7:48     ` Nicolas Petton
  2017-09-18 11:38       ` Stefan Monnier
  2017-09-18 20:30       ` Richard Stallman
  0 siblings, 2 replies; 119+ messages in thread
From: Nicolas Petton @ 2017-09-18  7:48 UTC (permalink / raw)
  To: rms, Clément Pit-Claudel; +Cc: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 498 bytes --]

Richard Stallman <rms@gnu.org> writes:

>   > Crazy though: why don't we hot-patch existing Emacs installations?
>   > Concretely, that would mean including that fix in a widely used ELPA or MELPA package. Then users would get the fix upon the next update.
>
> This verges on a universal back door, aka "auto-upgrade"
> which is a form of malware normally found in proprietary software.

What if the user was asked for a confirmation before upgrading?  Would
that be a good solution?

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released
  2017-09-18  7:48     ` Nicolas Petton
@ 2017-09-18 11:38       ` Stefan Monnier
  2017-09-18 20:31         ` Richard Stallman
  2017-09-18 20:30       ` Richard Stallman
  1 sibling, 1 reply; 119+ messages in thread
From: Stefan Monnier @ 2017-09-18 11:38 UTC (permalink / raw)
  To: emacs-devel

>> > Crazy though: why don't we hot-patch existing Emacs installations?
>> > Concretely, that would mean including that fix in a widely used ELPA
>> > or MELPA package. Then users would get the fix upon the next update.
>> This verges on a universal back door, aka "auto-upgrade"
>> which is a form of malware normally found in proprietary software.
> What if the user was asked for a confirmation before upgrading?
> Would that be a good solution?

I think fixes should be in a separate package.
If we really feel it's necessary, we could consider adding some code to
some unrelated popular package which could do something like:
- look for known bugs (fixed in security-patches)
- if found some, tell the user, suggesting to install the
  security-patches package


-- Stefan




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released
  2017-09-18  7:48     ` Nicolas Petton
  2017-09-18 11:38       ` Stefan Monnier
@ 2017-09-18 20:30       ` Richard Stallman
  1 sibling, 0 replies; 119+ messages in thread
From: Richard Stallman @ 2017-09-18 20:30 UTC (permalink / raw)
  To: Nicolas Petton; +Cc: cpitclaudel, emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > What if the user was asked for a confirmation before upgrading?  Would
  > that be a good solution?

That still implies pressure on the user to upgrade.

Informing the user that there is a new version, without pressure,
would be ok.  We can say why we think it is highly desirable to
upgrade and suggest looking at other materials about the issue.  But
not pressure!


-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released
  2017-09-18 11:38       ` Stefan Monnier
@ 2017-09-18 20:31         ` Richard Stallman
  0 siblings, 0 replies; 119+ messages in thread
From: Richard Stallman @ 2017-09-18 20:31 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > I think fixes should be in a separate package.

Sorry, I don't follow you.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 15:22             ` Eli Zaretskii
                                 ` (2 preceding siblings ...)
  2017-09-13 18:14               ` Nicolas Petton
@ 2017-09-19 23:36               ` John Wiegley
  3 siblings, 0 replies; 119+ messages in thread
From: John Wiegley @ 2017-09-19 23:36 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Andreas Schwab, nicolas, rostislav.svoboda, emacs-devel

>>>>> "EZ" == Eli Zaretskii <eliz@gnu.org> writes:

EZ> We should all thank Nicolas who did a splendid job, just a few hours after
EZ> I gave him the final patch. There's no need to pounce on him or make the
EZ> (false) presentation of his job as less than perfect.

Indeed, thanks so much to everyone who got this out quickly enough that coming
back from vacation today I find everything was resolved in the meantime. :)

-- 
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-12 18:38               ` Nicolas Petton
                                   ` (6 preceding siblings ...)
  2017-09-13 16:39                 ` Richard Stallman
@ 2017-09-20 22:32                 ` Tim Cross
  2017-09-21  7:25                   ` Richard Copley
  7 siblings, 1 reply; 119+ messages in thread
From: Tim Cross @ 2017-09-20 22:32 UTC (permalink / raw)
  To: Nicolas Petton
  Cc: Andreas Schwab, Eli Zaretskii, Rostislav Svoboda, Emacs Devel

[-- Attachment #1: Type: text/plain, Size: 1770 bytes --]

Hi Nicolas,

it is very easy to be a critic and technology has just made it easy to
spread those criticisms with no real cost - just type and hit send. As far
as I can see, you and Eli thought about how to do this release, considered
the implications and did what you believed was most appropriate given
priorities and resources. I certainly acknowledge and appreciate your
efforts. Ignore the negative noise, most of it is lacking in facts, built
on assumptions and fails to recognise hindsight is always 20/20. Thee has
been no adverse consequences and I feel you and Eli have shown the action
was responsible and well reasoned. Points have been raised and
acknowledged, time to move on and recognise that most of the fine work done
to maintain Emacs is done by volunteers who need to make time to do these
contributions in a modern world where most of us have too much to do with
too little time to do it.

thanks for your efforts.

Tim


On 13 September 2017 at 04:38, Nicolas Petton <nicolas@petton.fr> wrote:

> Rostislav Svoboda <rostislav.svoboda@gmail.com> writes:
>
> > The thing is guys in my daily-job I do this kind of "release and pray"
> > source code management on a daily basis.
> > You know - cobol, mainframes, finance industry, dinosaurs...
>
> I had to produce the tarball as quickly as I could, which meant
> yesterday evening after work.  We agreed with Eli not to bother with the
> website or the Git branch, as it was much less urgent than releasing the
> security fix.  However, I do have the changes on my local Git repo, so
> there's no need to worry (I'll push them right after sending this email).
>
> To be honest, I'm a bit frustrated with all the negative attitude
> regarding this release.
>
> Nico
>



-- 
regards,

Tim

--
Tim Cross

[-- Attachment #2: Type: text/html, Size: 2508 bytes --]

^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-20 22:32                 ` Tim Cross
@ 2017-09-21  7:25                   ` Richard Copley
  2017-09-21  7:56                     ` Eli Zaretskii
  0 siblings, 1 reply; 119+ messages in thread
From: Richard Copley @ 2017-09-21  7:25 UTC (permalink / raw)
  To: Emacs Development

Unfortunately, the release seems not to work on 64-bit Windows 7. See:
<http://lists.gnu.org/archive/html/help-gnu-emacs/2017-09/msg00150.html>

Windows users remaining on 25.2 may not be a security problem per se,
as the rules for linking directories are different there AIUI, but that question
should be considered by the experts here.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21  7:25                   ` Richard Copley
@ 2017-09-21  7:56                     ` Eli Zaretskii
  2017-09-21 18:53                       ` Richard Copley
  2017-09-21 20:37                       ` Phillip Lord
  0 siblings, 2 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-21  7:56 UTC (permalink / raw)
  To: Richard Copley; +Cc: emacs-devel

> From: Richard Copley <rcopley@gmail.com>
> Date: Thu, 21 Sep 2017 08:25:31 +0100
> 
> Unfortunately, the release seems not to work on 64-bit Windows 7. See:
> <http://lists.gnu.org/archive/html/help-gnu-emacs/2017-09/msg00150.html>

That's slightly inaccurate: the 25.3 release does work on Windows 7,
it's just that the specific 64-bit binaries uploaded to the GNU FTP
site don't.

I'd suggest to upload fixed binaries.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21  7:56                     ` Eli Zaretskii
@ 2017-09-21 18:53                       ` Richard Copley
  2017-09-21 19:15                         ` Eli Zaretskii
  2017-09-21 20:37                       ` Phillip Lord
  1 sibling, 1 reply; 119+ messages in thread
From: Richard Copley @ 2017-09-21 18:53 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Emacs Development

On 21 September 2017 at 08:56, Eli Zaretskii <eliz@gnu.org> wrote:
>> From: Richard Copley <rcopley@gmail.com>
>> Date: Thu, 21 Sep 2017 08:25:31 +0100
>>
>> Unfortunately, the release seems not to work on 64-bit Windows 7. See:
>> <http://lists.gnu.org/archive/html/help-gnu-emacs/2017-09/msg00150.html>
>
> That's slightly inaccurate: the 25.3 release does work on Windows 7,
> it's just that the specific 64-bit binaries uploaded to the GNU FTP
> site don't.
>
> I'd suggest to upload fixed binaries.

To do that without creating a new release, of course, means using a
toolchain version other than that which the excellent Nico in fact
used.

FYI the MSYS2 package sources don't provide old versions of packages.
Their currently available MinGW-W64 toolchains won't build a 64-bit
Emacs that works on Windows 7 from the 25.3 release.

Will the mingw.org toolchains described in nt/INSTALL do it?



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21 18:53                       ` Richard Copley
@ 2017-09-21 19:15                         ` Eli Zaretskii
  2017-09-21 19:26                           ` Richard Copley
  2017-09-21 20:56                           ` Phillip Lord
  0 siblings, 2 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-21 19:15 UTC (permalink / raw)
  To: Richard Copley; +Cc: emacs-devel

> From: Richard Copley <rcopley@gmail.com>
> Date: Thu, 21 Sep 2017 19:53:42 +0100
> Cc: Emacs Development <emacs-devel@gnu.org>
> 
> > I'd suggest to upload fixed binaries.
> 
> To do that without creating a new release, of course, means using a
> toolchain version other than that which the excellent Nico in fact
> used.

No, it means to backport the change in the library order and then
rebuild.  The modified source tarball should be uploaded to the same
place.

> FYI the MSYS2 package sources don't provide old versions of packages.
> Their currently available MinGW-W64 toolchains won't build a 64-bit
> Emacs that works on Windows 7 from the 25.3 release.

I think the binary will work on Windows 7 if built on Windows 7.  But
I don't suggest actually trying that.

> Will the mingw.org toolchains described in nt/INSTALL do it?

Not for a 64-bit build, no.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21 19:15                         ` Eli Zaretskii
@ 2017-09-21 19:26                           ` Richard Copley
  2017-09-21 20:56                           ` Phillip Lord
  1 sibling, 0 replies; 119+ messages in thread
From: Richard Copley @ 2017-09-21 19:26 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Emacs Development

On 21 September 2017 at 20:15, Eli Zaretskii <eliz@gnu.org> wrote:
>> From: Richard Copley <rcopley@gmail.com>
>> Date: Thu, 21 Sep 2017 19:53:42 +0100
>> Cc: Emacs Development <emacs-devel@gnu.org>
>>
>> > I'd suggest to upload fixed binaries.
>>
>> To do that without creating a new release, of course, means using a
>> toolchain version other than that which the excellent Nico in fact
>> used.
>
> No, it means to backport the change in the library order and then
> rebuild.  The modified source tarball should be uploaded to the same
> place.

Great.

>> FYI the MSYS2 package sources don't provide old versions of packages.
>> Their currently available MinGW-W64 toolchains won't build a 64-bit
>> Emacs that works on Windows 7 from the 25.3 release.
>
> I think the binary will work on Windows 7 if built on Windows 7.  But
> I don't suggest actually trying that.

#28493.

>> Will the mingw.org toolchains described in nt/INSTALL do it?
>
> Not for a 64-bit build, no.

OK, thanks.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: security-patches package
  2017-09-16 15:50           ` Ted Zlatanov
@ 2017-09-21 20:01             ` Phillip Lord
  2017-09-22  3:12               ` Stefan Monnier
  2017-09-22 12:59               ` Ted Zlatanov
  0 siblings, 2 replies; 119+ messages in thread
From: Phillip Lord @ 2017-09-21 20:01 UTC (permalink / raw)
  To: emacs-devel

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Fri, 15 Sep 2017 08:32:16 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 
>
> SM> having a "security-patches" package might make sense.
>>> I would love to see that as well, especially if it was well tested in a
>>> CI system against various versions of Emacs.
>>> What needs to happen so the experience is seamless?
>
> SM> Step one is to create this package in elpa.git, putting the fix for the
> SM> enriched.el bug.
>
> A package is pretty easy but I have a few questions before putting that
> out:
>
> * how do we prevent accidental or malicious commits to this package?
>   Could it maybe live in a special "GNU ELPA security updates" archive
>   separate from elpa.git?

I think this is not important. It wouldn't have any special privilege;
i.e. the malicious user could do the same nasty things in any package.
Accidental commits could just be controlled by constraining the
*release* -- that is commits would be normal, but they wouldn't go live.


> * should it be signed+released in a special way? How do we test it?

Testing is hard, unless we produce a "alpha" version of ELPA (try saying
that when drunk).

> * what version of Emacs will begin to check for this package?

Emacs 26, more or less by definition.

> * Can we do push notifications somehow or are we limited to polling?

Polling. Worse polling at the users request, because ELPA doesn't also
update.

Changing ELPA to auto-update the archive would be a good thing to do, I
think.

> * should there be a special mailing list for internal discussions?
>
> * how do we make the experience seamless (on startup, during a
>   long-running session, unattended, for a whole site)?
>
> In a related vein, I mentioned a while ago that it would be really nice
> to see the changes (from what's installed) to all the code in a package
> before upgrading it. I think for security updates that would be
> especially useful.

That would be cute, for non-security also. Give people a reason to
update.

Phil



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21  7:56                     ` Eli Zaretskii
  2017-09-21 18:53                       ` Richard Copley
@ 2017-09-21 20:37                       ` Phillip Lord
  2017-09-22  2:02                         ` Stephen Leake
  2017-09-22  7:04                         ` Eli Zaretskii
  1 sibling, 2 replies; 119+ messages in thread
From: Phillip Lord @ 2017-09-21 20:37 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Richard Copley, emacs-devel

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Richard Copley <rcopley@gmail.com>
>> Date: Thu, 21 Sep 2017 08:25:31 +0100
>> 
>> Unfortunately, the release seems not to work on 64-bit Windows 7. See:
>> <http://lists.gnu.org/archive/html/help-gnu-emacs/2017-09/msg00150.html>
>
> That's slightly inaccurate: the 25.3 release does work on Windows 7,
> it's just that the specific 64-bit binaries uploaded to the GNU FTP
> site don't.
>
> I'd suggest to upload fixed binaries.

I don't know how to do this. I have upgraded by system and I do not know
how to downgrade it. Even if I did, I am afraid, I didn't think to
record the update times, so I don't know how to downgrade it to.

Unfortunately, the best that I can currently do in terms of testing is
simply to run the binaries I create and see if they work. I try and test
them on a different machine, but I no have access to only 2 windows
machines and both of them use the same version of windows.

Perhaps, I should start uploading binaries to alpha.gnu.org for a few
days, before moving them to release; this would be the second set of
binaries to have an issue in this cycle.

Phil



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21 19:15                         ` Eli Zaretskii
  2017-09-21 19:26                           ` Richard Copley
@ 2017-09-21 20:56                           ` Phillip Lord
  2017-09-22  7:08                             ` Eli Zaretskii
  1 sibling, 1 reply; 119+ messages in thread
From: Phillip Lord @ 2017-09-21 20:56 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: Richard Copley, emacs-devel

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Richard Copley <rcopley@gmail.com>
>> Date: Thu, 21 Sep 2017 19:53:42 +0100
>> Cc: Emacs Development <emacs-devel@gnu.org>
>> 
>> > I'd suggest to upload fixed binaries.
>> 
>> To do that without creating a new release, of course, means using a
>> toolchain version other than that which the excellent Nico in fact
>> used.
>
> No, it means to backport the change in the library order and then
> rebuild.  The modified source tarball should be uploaded to the same
> place.

It's possible, or possibly a new binary and a patch file for the source?

But it all sounds like a release to me. Would Emacs-25.3.1 not be
better?

We talking about 7b3d1c6beb54ef6c423a9?

Phil






^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21 20:37                       ` Phillip Lord
@ 2017-09-22  2:02                         ` Stephen Leake
  2017-09-22  7:04                         ` Eli Zaretskii
  1 sibling, 0 replies; 119+ messages in thread
From: Stephen Leake @ 2017-09-22  2:02 UTC (permalink / raw)
  To: emacs-devel

phillip.lord@russet.org.uk (Phillip Lord) writes:

> Eli Zaretskii <eliz@gnu.org> writes:
>
>>> From: Richard Copley <rcopley@gmail.com>
>>> Date: Thu, 21 Sep 2017 08:25:31 +0100
>>> 
>>> Unfortunately, the release seems not to work on 64-bit Windows 7. See:
>>> <http://lists.gnu.org/archive/html/help-gnu-emacs/2017-09/msg00150.html>
>>
>> That's slightly inaccurate: the 25.3 release does work on Windows 7,
>> it's just that the specific 64-bit binaries uploaded to the GNU FTP
>> site don't.
>>
>> I'd suggest to upload fixed binaries.
>
> I don't know how to do this. I have upgraded by system and I do not know
> how to downgrade it. Even if I did, I am afraid, I didn't think to
> record the update times, so I don't know how to downgrade it to.
>
> Unfortunately, the best that I can currently do in terms of testing is
> simply to run the binaries I create and see if they work. I try and test
> them on a different machine, but I no have access to only 2 windows
> machines and both of them use the same version of windows.
>
> Perhaps, I should start uploading binaries to alpha.gnu.org for a few
> days, before moving them to release; this would be the second set of
> binaries to have an issue in this cycle.

+1; I can test those, on Windows 8.

-- 
-- Stephe



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: security-patches package
  2017-09-21 20:01             ` Phillip Lord
@ 2017-09-22  3:12               ` Stefan Monnier
       [not found]                 ` <878th32hzx.fsf@russet.org.uk>
  2017-09-22 12:59               ` Ted Zlatanov
  1 sibling, 1 reply; 119+ messages in thread
From: Stefan Monnier @ 2017-09-22  3:12 UTC (permalink / raw)
  To: emacs-devel

> Changing ELPA to auto-update the archive would be a good thing to do, I
> think.

I'm firmly opposed to making any program initiate network connections
without explicit user request.


        Stefan




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21 20:37                       ` Phillip Lord
  2017-09-22  2:02                         ` Stephen Leake
@ 2017-09-22  7:04                         ` Eli Zaretskii
  1 sibling, 0 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-22  7:04 UTC (permalink / raw)
  To: Phillip Lord; +Cc: rcopley, emacs-devel

> From: phillip.lord@russet.org.uk (Phillip Lord)
> Date: Thu, 21 Sep 2017 21:37:48 +0100
> Cc: Richard Copley <rcopley@gmail.com>, emacs-devel@gnu.org
> 
> Perhaps, I should start uploading binaries to alpha.gnu.org for a few
> days, before moving them to release; this would be the second set of
> binaries to have an issue in this cycle.

That's normally done, AFAIK, but for an emergency release it would be
good to be able to avoid an extra upload to a different place.

I don't think we should canonicalize a solution to this particular
problem.  It is quite unique.  I knew about the issue for a few years,
but never suspected a back-stab from MinGW import libraries.  Chances
for this scenario to repeat itself are quite slim.  The only amendment
to our procedures that I'd suggest to consider is to ask a couple of
people to unpack and run the binary on various versions of Windows
once it's uploaded.  This is what Nicolas did with the source tarball,
after uploading it to the GNU FTP site.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-21 20:56                           ` Phillip Lord
@ 2017-09-22  7:08                             ` Eli Zaretskii
  2017-09-22 15:29                               ` Richard Stallman
  2017-09-27 10:18                               ` Phillip Lord
  0 siblings, 2 replies; 119+ messages in thread
From: Eli Zaretskii @ 2017-09-22  7:08 UTC (permalink / raw)
  To: Phillip Lord; +Cc: rcopley, emacs-devel

> From: phillip.lord@russet.org.uk (Phillip Lord)
> Cc: Richard Copley <rcopley@gmail.com>,  emacs-devel@gnu.org
> Date: Thu, 21 Sep 2017 21:56:27 +0100
> 
> > No, it means to backport the change in the library order and then
> > rebuild.  The modified source tarball should be uploaded to the same
> > place.
> 
> It's possible, or possibly a new binary and a patch file for the source?

I'm not sure a patch file is enough to abide by the GPL.  Is there a
problem to upload a full tarball?

> But it all sounds like a release to me. Would Emacs-25.3.1 not be
> better?

Yes, 25.3.1 would be better.  But I'd also add a special README to
explain what it is.  And I think I'd remove the 25.3 zip files, as
they are not very useful.

> We talking about 7b3d1c6beb54ef6c423a9?

Yes.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: security-patches package
  2017-09-21 20:01             ` Phillip Lord
  2017-09-22  3:12               ` Stefan Monnier
@ 2017-09-22 12:59               ` Ted Zlatanov
  2017-09-23  4:15                 ` Stephen Leake
  1 sibling, 1 reply; 119+ messages in thread
From: Ted Zlatanov @ 2017-09-22 12:59 UTC (permalink / raw)
  To: emacs-devel

On Thu, 21 Sep 2017 21:01:56 +0100 phillip.lord@russet.org.uk (Phillip Lord) wrote: 

PL> Ted Zlatanov <tzz@lifelogs.com> writes:
>> * how do we prevent accidental or malicious commits to this package?
>> Could it maybe live in a special "GNU ELPA security updates" archive
>> separate from elpa.git?

PL> I think this is not important. It wouldn't have any special privilege;
PL> i.e. the malicious user could do the same nasty things in any package.
PL> Accidental commits could just be controlled by constraining the
PL> *release* -- that is commits would be normal, but they wouldn't go live.

The proposition is to check these packages more frequently and for the
user to trust them more than any other packages, so I think there is
some value to that. But I'm OK with just using the GNU ELPA as long as
the packages are tagged in a special way.

>> * Can we do push notifications somehow or are we limited to polling?

PL> Polling. Worse polling at the users request, because ELPA doesn't also
PL> update.

PL> Changing ELPA to auto-update the archive would be a good thing to do, I
PL> think.

On Thu, 21 Sep 2017 23:12:47 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 

SM> I'm firmly opposed to making any program initiate network connections
SM> without explicit user request.

I understand the concern.

Let's say the user can turn auto checking on, but normally it will just
be a prominent menu item or button they can click to check for an update?

Ted




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-22  7:08                             ` Eli Zaretskii
@ 2017-09-22 15:29                               ` Richard Stallman
  2017-09-27 10:18                               ` Phillip Lord
  1 sibling, 0 replies; 119+ messages in thread
From: Richard Stallman @ 2017-09-22 15:29 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: rcopley, emacs-devel, phillip.lord

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > It's possible, or possibly a new binary and a patch file for the source?

  > I'm not sure a patch file is enough to abide by the GPL.  Is there a
  > problem to upload a full tarball?

Please do it the clean way: make a self-contained correct release,
not a patch.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.




^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: security-patches package
  2017-09-22 12:59               ` Ted Zlatanov
@ 2017-09-23  4:15                 ` Stephen Leake
  0 siblings, 0 replies; 119+ messages in thread
From: Stephen Leake @ 2017-09-23  4:15 UTC (permalink / raw)
  To: emacs-devel

Ted Zlatanov <tzz@lifelogs.com> writes:

>>> * Can we do push notifications somehow or are we limited to polling?
>
> PL> Polling. Worse polling at the users request, because ELPA doesn't also
> PL> update.
>
> PL> Changing ELPA to auto-update the archive would be a good thing to do, I
> PL> think.
>
> On Thu, 21 Sep 2017 23:12:47 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 
>
> SM> I'm firmly opposed to making any program initiate network connections
> SM> without explicit user request.
>
> I understand the concern.
>
> Let's say the user can turn auto checking on, but normally it will just
> be a prominent menu item or button they can click to check for an update?

+1

-- 
-- Stephe



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: security-patches package
       [not found]                 ` <878th32hzx.fsf@russet.org.uk>
@ 2017-09-25 10:24                   ` Phillip Lord
  0 siblings, 0 replies; 119+ messages in thread
From: Phillip Lord @ 2017-09-25 10:24 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> Changing ELPA to auto-update the archive would be a good thing to do, I
>> think.
>
> I'm firmly opposed to making any program initiate network connections
> without explicit user request.

The middle-ground is to ask people first time, then
auto-update/not-update into the future.

Phil



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-22  7:08                             ` Eli Zaretskii
  2017-09-22 15:29                               ` Richard Stallman
@ 2017-09-27 10:18                               ` Phillip Lord
  2017-09-29  9:54                                 ` Stephen Leake
  1 sibling, 1 reply; 119+ messages in thread
From: Phillip Lord @ 2017-09-27 10:18 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: rcopley, emacs-devel

Eli Zaretskii <eliz@gnu.org> writes:

>> From: phillip.lord@russet.org.uk (Phillip Lord)
>> Cc: Richard Copley <rcopley@gmail.com>,  emacs-devel@gnu.org
>> Date: Thu, 21 Sep 2017 21:56:27 +0100
>> 
>> > No, it means to backport the change in the library order and then
>> > rebuild.  The modified source tarball should be uploaded to the same
>> > place.
>> 
>> It's possible, or possibly a new binary and a patch file for the source?
>
> I'm not sure a patch file is enough to abide by the GPL.  Is there a
> problem to upload a full tarball?
>
>> But it all sounds like a release to me. Would Emacs-25.3.1 not be
>> better?
>
> Yes, 25.3.1 would be better.  But I'd also add a special README to
> explain what it is.  And I think I'd remove the 25.3 zip files, as
> they are not very useful.
>
>> We talking about 7b3d1c6beb54ef6c423a9?
>
> Yes.


I have uploaded a patched 25.3 to alpha and would welcome testing (esp
on Windows 7).

Issues: this is not a full release, it's just a patched
25.3. Directories have been left as 25.3. And I did the patch by hand,
because I couldn't get git to work.

Not sure if this the best way; a full 25.3.1 release might be
better. However, it would be functionality identical to 25.3 for most
systems, and I'd need Nico to do the release, as I never have done one.

Phil



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-27 10:18                               ` Phillip Lord
@ 2017-09-29  9:54                                 ` Stephen Leake
  2017-09-29 10:46                                   ` Phillip Lord
  0 siblings, 1 reply; 119+ messages in thread
From: Stephen Leake @ 2017-09-29  9:54 UTC (permalink / raw)
  To: emacs-devel

phillip.lord@russet.org.uk (Phillip Lord) writes:

> I have uploaded a patched 25.3 to alpha and would welcome testing (esp
> on Windows 7).

emacs-25.3_1-x86_64.zip works for me on Windows 8


-- 
-- Stephe



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-29  9:54                                 ` Stephen Leake
@ 2017-09-29 10:46                                   ` Phillip Lord
  2017-09-29 12:46                                     ` Richard Copley
  2017-09-30  7:22                                     ` Stephen Leake
  0 siblings, 2 replies; 119+ messages in thread
From: Phillip Lord @ 2017-09-29 10:46 UTC (permalink / raw)
  To: Stephen Leake; +Cc: emacs-devel

Stephen Leake <stephen_leake@stephe-leake.org> writes:

> phillip.lord@russet.org.uk (Phillip Lord) writes:
>
>> I have uploaded a patched 25.3 to alpha and would welcome testing (esp
>> on Windows 7).
>
> emacs-25.3_1-x86_64.zip works for me on Windows 8


Thanks

Did the old zip fail?



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-29 10:46                                   ` Phillip Lord
@ 2017-09-29 12:46                                     ` Richard Copley
  2017-10-02 11:54                                       ` Phillip Lord
  2017-09-30  7:22                                     ` Stephen Leake
  1 sibling, 1 reply; 119+ messages in thread
From: Richard Copley @ 2017-09-29 12:46 UTC (permalink / raw)
  To: Phillip Lord; +Cc: Stephen Leake, emacs-devel

On 29 September 2017 at 11:46, Phillip Lord <phillip.lord@russet.org.uk> wrote:
> Stephen Leake <stephen_leake@stephe-leake.org> writes:
>
>> phillip.lord@russet.org.uk (Phillip Lord) writes:
>>
>>> I have uploaded a patched 25.3 to alpha and would welcome testing (esp
>>> on Windows 7).
>>
>> emacs-25.3_1-x86_64.zip works for me on Windows 8
>
>
> Thanks
>
> Did the old zip fail?

Confirm that for me on Windows 7,
* the old zip fails (same error as discussed on the Help list) and
* the new alpha 25.3_1 zip works.

Many thanks Phillip. Sorry, I didn't see your email until Stephen's reply.



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-29 10:46                                   ` Phillip Lord
  2017-09-29 12:46                                     ` Richard Copley
@ 2017-09-30  7:22                                     ` Stephen Leake
  1 sibling, 0 replies; 119+ messages in thread
From: Stephen Leake @ 2017-09-30  7:22 UTC (permalink / raw)
  To: emacs-devel

phillip.lord@russet.org.uk (Phillip Lord) writes:

> Stephen Leake <stephen_leake@stephe-leake.org> writes:
>
>> phillip.lord@russet.org.uk (Phillip Lord) writes:
>>
>>> I have uploaded a patched 25.3 to alpha and would welcome testing (esp
>>> on Windows 7).
>>
>> emacs-25.3_1-x86_64.zip works for me on Windows 8
>
>
> Thanks
>
> Did the old zip fail?

I never tried it; I only tried 25.1
>

-- 
-- Stephe



^ permalink raw reply	[flat|nested] 119+ messages in thread

* Re: [ANNOUNCE] Emacs 25.3 released
  2017-09-29 12:46                                     ` Richard Copley
@ 2017-10-02 11:54                                       ` Phillip Lord
  0 siblings, 0 replies; 119+ messages in thread
From: Phillip Lord @ 2017-10-02 11:54 UTC (permalink / raw)
  To: Richard Copley; +Cc: Stephen Leake, emacs-devel

Richard Copley <rcopley@gmail.com> writes:

> On 29 September 2017 at 11:46, Phillip Lord <phillip.lord@russet.org.uk> wrote:
>> Stephen Leake <stephen_leake@stephe-leake.org> writes:
>>
>>> phillip.lord@russet.org.uk (Phillip Lord) writes:
>>>
>>>> I have uploaded a patched 25.3 to alpha and would welcome testing (esp
>>>> on Windows 7).
>>>
>>> emacs-25.3_1-x86_64.zip works for me on Windows 8
>>
>>
>> Thanks
>>
>> Did the old zip fail?
>
> Confirm that for me on Windows 7,
> * the old zip fails (same error as discussed on the Help list) and
> * the new alpha 25.3_1 zip works.
>
> Many thanks Phillip. Sorry, I didn't see your email until Stephen's reply.


Thanks very much for the positive test.

I'll upload as soon as I can. For the next release, I'll send a specific
email to emacs-devel asking for testers before I full release the
binaries.

Phil



^ permalink raw reply	[flat|nested] 119+ messages in thread

end of thread, other threads:[~2017-10-02 11:54 UTC | newest]

Thread overview: 119+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-11 20:52 [ANNOUNCE] Emacs 25.3 released Nicolas Petton
2017-09-12  8:48 ` Andreas Schwab
2017-09-12 11:29   ` Nicolas Petton
2017-09-12 11:56     ` Andreas Schwab
2017-09-12 12:10       ` Rostislav Svoboda
2017-09-12 12:42         ` Eli Zaretskii
2017-09-12 12:44         ` Clément Pit-Claudel
2017-09-12 12:55         ` Nicolas Petton
2017-09-12 13:03           ` Andreas Schwab
2017-09-12 13:29             ` Rostislav Svoboda
2017-09-12 15:25               ` Eli Zaretskii
2017-09-12 15:48                 ` Andreas Schwab
2017-09-12 15:55                   ` Paul Eggert
2017-09-12 16:38                     ` Eli Zaretskii
2017-09-12 18:26                     ` Nicolas Petton
2017-09-12 19:09                     ` Nicolas Petton
2017-09-12 16:38                   ` Eli Zaretskii
2017-09-12 18:39                     ` Nicolas Petton
2017-09-13  6:49                     ` Andreas Schwab
2017-09-12 16:42                 ` Rostislav Svoboda
2017-09-12 16:54                   ` Eli Zaretskii
2017-09-12 18:38               ` Nicolas Petton
2017-09-12 18:57                 ` Eli Zaretskii
2017-09-12 19:00                 ` Robert Weiner
2017-09-12 20:49                 ` martin rudalics
2017-09-12 22:05                 ` Rostislav Svoboda
2017-09-12 23:39                 ` Clément Pit-Claudel
2017-09-13 16:18                 ` Tino Calancha
2017-09-13 16:39                 ` Richard Stallman
2017-09-20 22:32                 ` Tim Cross
2017-09-21  7:25                   ` Richard Copley
2017-09-21  7:56                     ` Eli Zaretskii
2017-09-21 18:53                       ` Richard Copley
2017-09-21 19:15                         ` Eli Zaretskii
2017-09-21 19:26                           ` Richard Copley
2017-09-21 20:56                           ` Phillip Lord
2017-09-22  7:08                             ` Eli Zaretskii
2017-09-22 15:29                               ` Richard Stallman
2017-09-27 10:18                               ` Phillip Lord
2017-09-29  9:54                                 ` Stephen Leake
2017-09-29 10:46                                   ` Phillip Lord
2017-09-29 12:46                                     ` Richard Copley
2017-10-02 11:54                                       ` Phillip Lord
2017-09-30  7:22                                     ` Stephen Leake
2017-09-21 20:37                       ` Phillip Lord
2017-09-22  2:02                         ` Stephen Leake
2017-09-22  7:04                         ` Eli Zaretskii
2017-09-12 15:22             ` Eli Zaretskii
2017-09-12 15:47               ` Andreas Schwab
2017-09-12 16:37                 ` Eli Zaretskii
2017-09-13  6:45                   ` Andreas Schwab
2017-09-13  6:50               ` Andreas Schwab
2017-09-13  7:07                 ` Paul Eggert
2017-09-13  7:40                 ` Nicolas Petton
2017-09-13  8:53                   ` Paul Eggert
2017-09-13  8:57                     ` Rostislav Svoboda
2017-09-13 14:51                       ` Eli Zaretskii
2017-09-13 14:34                   ` Eli Zaretskii
2017-09-13  8:24                 ` Eli Zaretskii
2017-09-13  8:27                   ` Andreas Schwab
2017-09-13  8:42                     ` Eli Zaretskii
2017-09-13  8:48                       ` Andreas Schwab
2017-09-13 14:36                         ` Eli Zaretskii
2017-09-13 15:12                       ` Mike Gerwitz
2017-09-13 15:57                         ` Eli Zaretskii
2017-09-13 18:14               ` Nicolas Petton
2017-09-19 23:36               ` John Wiegley
2017-09-12 15:17         ` Eli Zaretskii
2017-09-12 22:13         ` Richard Stallman
2017-09-14 14:19           ` Jorge A. Alfaro-Murillo
2017-09-14 20:50             ` Richard Stallman
2017-09-13  1:41         ` Stefan Monnier
2017-09-12 12:40       ` Eli Zaretskii
2017-09-12 16:05 ` Philippe Vaucher
2017-09-12 16:30   ` Paul Eggert
2017-09-12 16:52     ` Eli Zaretskii
2017-09-12 18:26       ` Thien-Thi Nguyen
2017-09-12 18:49         ` Eli Zaretskii
2017-09-13 16:39           ` Richard Stallman
2017-09-13 16:39         ` Richard Stallman
2017-09-14  6:51           ` Thien-Thi Nguyen
2017-09-15  8:01             ` Eli Zaretskii
2017-09-12 16:40   ` Eli Zaretskii
2017-09-14 11:15     ` Philippe Vaucher
2017-09-12 22:11   ` Timur Aydin
2017-09-12 22:16   ` Richard Stallman
2017-09-12 16:06 ` Roland Winkler
2017-09-12 16:41   ` Paul Eggert
2017-09-12 16:54     ` Roland Winkler
2017-09-12 17:12       ` Eli Zaretskii
2017-09-12 17:40         ` Paul Eggert
2017-09-12 17:57           ` Eli Zaretskii
2017-09-12 18:29           ` Nicolas Petton
2017-09-13 16:39       ` Richard Stallman
2017-09-13 19:36         ` Ulrich Mueller
2017-09-14  1:42           ` Richard Stallman
2017-09-14  6:37             ` Ulrich Mueller
2017-09-14 13:24               ` Etienne Prud’homme
2017-09-14 15:01                 ` Nicolas Petton
2017-09-14 20:52               ` [ANNOUNCE] " Richard Stallman
2017-09-12 16:42   ` Eli Zaretskii
2017-09-12 17:46   ` Phillip Lord
2017-09-13  1:46     ` Stefan Monnier
2017-09-14 19:49       ` security-patches package (was: [ANNOUNCE] Emacs 25.3 released) Ted Zlatanov
2017-09-15 12:32         ` security-patches package Stefan Monnier
2017-09-16 15:50           ` Ted Zlatanov
2017-09-21 20:01             ` Phillip Lord
2017-09-22  3:12               ` Stefan Monnier
     [not found]                 ` <878th32hzx.fsf@russet.org.uk>
2017-09-25 10:24                   ` Phillip Lord
2017-09-22 12:59               ` Ted Zlatanov
2017-09-23  4:15                 ` Stephen Leake
2017-09-12 23:45 ` Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released Clément Pit-Claudel
2017-09-14 10:05   ` Phillip Lord
2017-09-18  0:03   ` Richard Stallman
2017-09-18  7:48     ` Nicolas Petton
2017-09-18 11:38       ` Stefan Monnier
2017-09-18 20:31         ` Richard Stallman
2017-09-18 20:30       ` Richard Stallman
2017-09-13 18:40 ` Charles A. Roelli

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).