From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28 Date: Thu, 16 Feb 2023 12:50:08 -0500 Message-ID: References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark> <09998122-0110-454f-94d1-e29c37b833f4@Spark> <83sff9e1is.fsf@gnu.org> <838rh0e64j.fsf@gnu.org> <86ttzougu2.fsf@gmail.com> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="25159"; mail-complaints-to="usenet@ciao.gmane.io" Cc: eliz@gnu.org, emacs-devel@gnu.org To: Tim Cross Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Feb 16 18:51:13 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pSiPY-0006KU-TD for ged-emacs-devel@m.gmane-mx.org; Thu, 16 Feb 2023 18:51:13 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pSiOl-0006z3-AG; Thu, 16 Feb 2023 12:50:23 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSiOj-0006om-1V for emacs-devel@gnu.org; Thu, 16 Feb 2023 12:50:21 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSiOi-0008Qx-OP; Thu, 16 Feb 2023 12:50:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=X1GYZMSLzHDjc3u/7RUzP0iKkHvslzSzxqOWgfYP/uk=; b=E9vPbgoolwd1 4Bp27DUKDjfbdcCA4EyHvM5KfkyIRaSygcYJ0W3W1jfHnBXoqCv4vWd/v6N2O0qE9w8vCF2EF71Gp gea4bnS3YoAtYHepO52UAg9p33k+JBQCQ2lhqDDZQ64WUu23kvUiIKb6VMRDdPuX4eQ84H5V8MAt+ xa9KQKiItW2M3suM5tfQIjolXJzWnfGgiRasx8mUFRusyumFs/GP0+ptVv2A0rie/dqQ89i7FcY6B 8/DZzxnNbeduyp9XNpr3aK5R7rqyWUVlZ+TVRvYw+jMem85BXTAaODim7bTmvzkEatuSKsR6tJ8QJ qfOVForvWQp5NMLlQNVzCg==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1pSiOW-0007km-1O; Thu, 16 Feb 2023 12:50:20 -0500 In-Reply-To: <86ttzougu2.fsf@gmail.com> (message from Tim Cross on Wed, 15 Feb 2023 07:10:58 +1100) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303430 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > While I understand the resourcing issues, I think this is the wrong > decision. We are in the situation where the current released version of > Emacs has a known security exploit with a severity classification of > high (although this assessment seems to be under review) and the > response seems to be "Sorry, we are too busy trying to get the next > version released to deal with this". I agree. Fixing this one bug seems to be important to our user community, and we already know the fix. We should release a fixed version. What makes it a ontrivial job to release one? Is it because there other fixes have been committed to the Emacs 28 branch since the last release? Would including them in a release call for some additioal work? If so, I am sure we can find a solution that avoids some of that work. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)