unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Troy Hinckley <comms@dabrev.com>
To: Jean Louis <bugs@gnu.support>
Cc: emacs-devel@gnu.org, Eli Zaretskii <eliz@gnu.org>,
	Stefan Kangas <stefankangas@gmail.com>
Subject: Re: Emacs 28.3 Release
Date: Wed, 12 Apr 2023 10:37:09 -0500	[thread overview]
Message-ID: <9a4abd79-4885-4ea0-9010-0eccaef443b8@Spark> (raw)
In-Reply-To: <ZDUW1rbdcjwi6CA2@protected.localdomain>

[-- Attachment #1: Type: text/plain, Size: 2381 bytes --]

Everything you said is correct, Jean. But I work at one of the major tech companies in the US with over 100,000 engineers. I have tried to argue with IT about their policies, but as you can image it makes no difference. They see high-severity CVE’s and won’t install it. And we are not the only company that has such policies. We have 1000’s of Emacs users here who can’t use the latest stable Emacs until 28.3 comes out. I am really appreciative of the effort that has been put in so far to get this version of Emacs out. I hope we can make this release soon.
On Apr 11, 2023 at 3:14 AM -0500, Jean Louis <bugs@gnu.support>, wrote:
> * Troy Hinckley <comms@dabrev.com> [2023-04-10 16:21]:
> > Hi Emacs devs,
> > I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a narrow window in which this version will be viable. As it currently stands the latest stable release has a high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will resolve that and make the latest stable release usable. However, someone will inevitably find another CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this release, I doubt there would be resources to add another security patch to Emacs 28.
>
> Emacs has built-in programming language. Programming languages are not
> secure by default. Their purpose is freedom to programmer to do what
> programmers wants.
>
> If people on this mailing list would decide, they could file X number
> of (not so) common vulnerabilities, though developers are constantly
> improving Emacs, not making their reputation by "discovering security
> holes". As if focus would be on common vulnerabilities reporting then
> those reports would be as great as GNU Emacs bug reports
>
> This means that handling those one or few CVE reports related to Emacs
> is only there for cosmetics purposes. It is for the fake image.
>
> Handling few of those CVEs, or removing reports, or closing those
> reports, doesn't make Emacs secure for "secure domains" as you
> mentioned it.
>
> It is as secure as people who are working with it.
>
> --
> Jean
>
> Take action in Free Software Foundation campaigns:
> https://www.fsf.org/campaigns
>
> In support of Richard M. Stallman
> https://stallmansupport.org/

[-- Attachment #2: Type: text/html, Size: 2935 bytes --]

  reply	other threads:[~2023-04-12 15:37 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <f4b95933-46bd-4bcb-b9ca-ceed72b1c6ee@Spark>
2023-04-10 13:05 ` Emacs 28.3 Release Troy Hinckley
2023-04-10 13:20   ` Eli Zaretskii
2023-04-10 14:33     ` lux
2023-04-10 14:44       ` Ulrich Mueller
2023-04-10 14:46         ` lux
2023-04-10 13:50   ` Po Lu
2023-04-11  8:14   ` Jean Louis
2023-04-12 15:37     ` Troy Hinckley [this message]
2023-04-12 16:31       ` lux
2023-04-12 16:56         ` Corwin Brust

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9a4abd79-4885-4ea0-9010-0eccaef443b8@Spark \
    --to=comms@dabrev.com \
    --cc=bugs@gnu.support \
    --cc=eliz@gnu.org \
    --cc=emacs-devel@gnu.org \
    --cc=stefankangas@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).