From: "Etienne Prud’homme" <e.e.f.prudhomme@gmail.com>
To: Ulrich Mueller <ulm@gentoo.org>
Cc: eggert@cs.ucla.edu, emacs-devel@gnu.org, rms@gnu.org, winkler@gnu.org
Subject: Re: Emacs 25.3 released
Date: Thu, 14 Sep 2017 09:24:16 -0400 [thread overview]
Message-ID: <87ingle7lr.fsf@x230.lts> (raw)
In-Reply-To: <22970.9118.120245.720675@a1i15.kph.uni-mainz.de> (Ulrich Mueller's message of "Thu, 14 Sep 2017 08:37:18 +0200")
Ulrich Mueller <ulm@gentoo.org> writes:
>>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:
>
>>> Please don't. That would break the download for distros who rely on
>>> pristine upstream sources and apply separate patches. For example,
>>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>>> enriched-mode).
>
>> So how do we inform people not to download the broken versions?
>
> Bugs (security or other) happen all the time, so most old versions
> will be broken in some way. In spite of that, I am not aware of any
> project that is renaming its old tarballs.
>
> It is also not the first time there is a security bug in GNU Emacs
> (although it's been a while since the last one). A quick search shows
> CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
> of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
> tramp.el. No renaming of tarballs took place, neither for that issue
> (which affected Emacs 24.3) nor for any previous ones.
>
> I would also assume that users will generally download only the latest
> version of any given software, and that they are aware that old
> versions can contain bugs.
>
>> If Gentoo will have a patch to fix that version,
>> can't the same patch put in the new file name of that version?
>
> Sure, we could update the filename in our ebuild. Which would mean
> more work though. We have some 19000 packages in the distro, and
> there's other work to do than monitoring if upstream tarballs have
> been renamed.
>
> Ulrich
Was there any fix for older version than 24?
Maybe we could patch older versions too. I think it might be helpful to
setup a critical update mechanism. By that I mean patching every
versions affected automatically with the semantic version system
(increment by 0.0.1 for bug fixes). By the way, are tarballs
automatically generated? If not, would it be hard to implement?
ps: I’m grateful for petton’s work and not trying to minimize what he
did.
--
Etienne
next prev parent reply other threads:[~2017-09-14 13:24 UTC|newest]
Thread overview: 119+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-11 20:52 [ANNOUNCE] Emacs 25.3 released Nicolas Petton
2017-09-12 8:48 ` Andreas Schwab
2017-09-12 11:29 ` Nicolas Petton
2017-09-12 11:56 ` Andreas Schwab
2017-09-12 12:10 ` Rostislav Svoboda
2017-09-12 12:42 ` Eli Zaretskii
2017-09-12 12:44 ` Clément Pit-Claudel
2017-09-12 12:55 ` Nicolas Petton
2017-09-12 13:03 ` Andreas Schwab
2017-09-12 13:29 ` Rostislav Svoboda
2017-09-12 15:25 ` Eli Zaretskii
2017-09-12 15:48 ` Andreas Schwab
2017-09-12 15:55 ` Paul Eggert
2017-09-12 16:38 ` Eli Zaretskii
2017-09-12 18:26 ` Nicolas Petton
2017-09-12 19:09 ` Nicolas Petton
2017-09-12 16:38 ` Eli Zaretskii
2017-09-12 18:39 ` Nicolas Petton
2017-09-13 6:49 ` Andreas Schwab
2017-09-12 16:42 ` Rostislav Svoboda
2017-09-12 16:54 ` Eli Zaretskii
2017-09-12 18:38 ` Nicolas Petton
2017-09-12 18:57 ` Eli Zaretskii
2017-09-12 19:00 ` Robert Weiner
2017-09-12 20:49 ` martin rudalics
2017-09-12 22:05 ` Rostislav Svoboda
2017-09-12 23:39 ` Clément Pit-Claudel
2017-09-13 16:18 ` Tino Calancha
2017-09-13 16:39 ` Richard Stallman
2017-09-20 22:32 ` Tim Cross
2017-09-21 7:25 ` Richard Copley
2017-09-21 7:56 ` Eli Zaretskii
2017-09-21 18:53 ` Richard Copley
2017-09-21 19:15 ` Eli Zaretskii
2017-09-21 19:26 ` Richard Copley
2017-09-21 20:56 ` Phillip Lord
2017-09-22 7:08 ` Eli Zaretskii
2017-09-22 15:29 ` Richard Stallman
2017-09-27 10:18 ` Phillip Lord
2017-09-29 9:54 ` Stephen Leake
2017-09-29 10:46 ` Phillip Lord
2017-09-29 12:46 ` Richard Copley
2017-10-02 11:54 ` Phillip Lord
2017-09-30 7:22 ` Stephen Leake
2017-09-21 20:37 ` Phillip Lord
2017-09-22 2:02 ` Stephen Leake
2017-09-22 7:04 ` Eli Zaretskii
2017-09-12 15:22 ` Eli Zaretskii
2017-09-12 15:47 ` Andreas Schwab
2017-09-12 16:37 ` Eli Zaretskii
2017-09-13 6:45 ` Andreas Schwab
2017-09-13 6:50 ` Andreas Schwab
2017-09-13 7:07 ` Paul Eggert
2017-09-13 7:40 ` Nicolas Petton
2017-09-13 8:53 ` Paul Eggert
2017-09-13 8:57 ` Rostislav Svoboda
2017-09-13 14:51 ` Eli Zaretskii
2017-09-13 14:34 ` Eli Zaretskii
2017-09-13 8:24 ` Eli Zaretskii
2017-09-13 8:27 ` Andreas Schwab
2017-09-13 8:42 ` Eli Zaretskii
2017-09-13 8:48 ` Andreas Schwab
2017-09-13 14:36 ` Eli Zaretskii
2017-09-13 15:12 ` Mike Gerwitz
2017-09-13 15:57 ` Eli Zaretskii
2017-09-13 18:14 ` Nicolas Petton
2017-09-19 23:36 ` John Wiegley
2017-09-12 15:17 ` Eli Zaretskii
2017-09-12 22:13 ` Richard Stallman
2017-09-14 14:19 ` Jorge A. Alfaro-Murillo
2017-09-14 20:50 ` Richard Stallman
2017-09-13 1:41 ` Stefan Monnier
2017-09-12 12:40 ` Eli Zaretskii
2017-09-12 16:05 ` Philippe Vaucher
2017-09-12 16:30 ` Paul Eggert
2017-09-12 16:52 ` Eli Zaretskii
2017-09-12 18:26 ` Thien-Thi Nguyen
2017-09-12 18:49 ` Eli Zaretskii
2017-09-13 16:39 ` Richard Stallman
2017-09-13 16:39 ` Richard Stallman
2017-09-14 6:51 ` Thien-Thi Nguyen
2017-09-15 8:01 ` Eli Zaretskii
2017-09-12 16:40 ` Eli Zaretskii
2017-09-14 11:15 ` Philippe Vaucher
2017-09-12 22:11 ` Timur Aydin
2017-09-12 22:16 ` Richard Stallman
2017-09-12 16:06 ` Roland Winkler
2017-09-12 16:41 ` Paul Eggert
2017-09-12 16:54 ` Roland Winkler
2017-09-12 17:12 ` Eli Zaretskii
2017-09-12 17:40 ` Paul Eggert
2017-09-12 17:57 ` Eli Zaretskii
2017-09-12 18:29 ` Nicolas Petton
2017-09-13 16:39 ` Richard Stallman
2017-09-13 19:36 ` Ulrich Mueller
2017-09-14 1:42 ` Richard Stallman
2017-09-14 6:37 ` Ulrich Mueller
2017-09-14 13:24 ` Etienne Prud’homme [this message]
2017-09-14 15:01 ` Nicolas Petton
2017-09-14 20:52 ` [ANNOUNCE] " Richard Stallman
2017-09-12 16:42 ` Eli Zaretskii
2017-09-12 17:46 ` Phillip Lord
2017-09-13 1:46 ` Stefan Monnier
2017-09-14 19:49 ` security-patches package (was: [ANNOUNCE] Emacs 25.3 released) Ted Zlatanov
2017-09-15 12:32 ` security-patches package Stefan Monnier
2017-09-16 15:50 ` Ted Zlatanov
2017-09-21 20:01 ` Phillip Lord
2017-09-22 3:12 ` Stefan Monnier
[not found] ` <878th32hzx.fsf@russet.org.uk>
2017-09-25 10:24 ` Phillip Lord
2017-09-22 12:59 ` Ted Zlatanov
2017-09-23 4:15 ` Stephen Leake
2017-09-12 23:45 ` Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released Clément Pit-Claudel
2017-09-14 10:05 ` Phillip Lord
2017-09-18 0:03 ` Richard Stallman
2017-09-18 7:48 ` Nicolas Petton
2017-09-18 11:38 ` Stefan Monnier
2017-09-18 20:31 ` Richard Stallman
2017-09-18 20:30 ` Richard Stallman
2017-09-13 18:40 ` Charles A. Roelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ingle7lr.fsf@x230.lts \
--to=e.e.f.prudhomme@gmail.com \
--cc=eggert@cs.ucla.edu \
--cc=emacs-devel@gnu.org \
--cc=rms@gnu.org \
--cc=ulm@gentoo.org \
--cc=winkler@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).