From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28 Date: Fri, 17 Feb 2023 23:19:58 -0500 Message-ID: References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark> <09998122-0110-454f-94d1-e29c37b833f4@Spark> <83sff9e1is.fsf@gnu.org> <838rh0e64j.fsf@gnu.org> <86ttzougu2.fsf@gmail.com> <87edqrpbwb.fsf@gmail.com> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="38648"; mail-complaints-to="usenet@ciao.gmane.io" Cc: theophilusx@gmail.com, eliz@gnu.org, lx@shellcodes.org, comms@dabrev.com, emacs-devel@gnu.org To: Robert Pluim Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Feb 18 05:20:57 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pTEiX-0009sT-Q1 for ged-emacs-devel@m.gmane-mx.org; Sat, 18 Feb 2023 05:20:57 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pTEhf-0007ON-Kc; Fri, 17 Feb 2023 23:20:03 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pTEhe-0007Nk-E8 for emacs-devel@gnu.org; Fri, 17 Feb 2023 23:20:02 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pTEhb-0007Ck-8j; Fri, 17 Feb 2023 23:19:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=YcekqeKRB4uimabVDG/y763myTk8ubrMKb0RK/XiNK4=; b=kGoeyUZLT5k4 BVYsERyFIyUzKBK8gpum4tsnOclrAWMfksnuqbkavC+wKzScN3PhRmmCqVem15QFBwsjSiwveD1+P oYkpIJWy+jkJLKf5lf1QuEm8HvHUobpipZRnOngxoJZ7OdjwGUcVRoIBqCLt09iULYek+fKWFPWYd jcRc9pASOLu532KEtPm/bysmY1idM0SnLMfEFUxUisWkIHYWD4YDzO3ctE05jxRYLuCazkTTC2Lsw ++u61UJLurveFeLC45UE9zekWfq4cxSPUaim1m445xkf63Vmf+t820AFZfRxYj9TzNxE/5VJuFXbi 4ck6veCDlgBgW5Oav4J1NA==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1pTEha-0001fi-UN; Fri, 17 Feb 2023 23:19:58 -0500 In-Reply-To: <87edqrpbwb.fsf@gmail.com> (message from Robert Pluim on Wed, 15 Feb 2023 09:32:04 +0100) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303516 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > We *could* rush out a 28.3 release, I guess, given that thereʼs only > one actual non-doc change on the branch, but then again: how is that > any better than downstream just adding the CVE fix to their builds? It is normal for users to download the tar file and build from that. Most of them will not have any way to know that they should patch it. If we make a 28.3 release with the fix, ordinary users will get that fix. Otherwise, they won't know about it and won't install it. Lynn Winebarger wrote: > FWIW, I suspect a lot of users get automated updates from their > packager of choice, whether it's [a GNU/Linux] distro, Cygwin, MSYS2, or > whatever. Some users will get the fix that way, and that's good. But we also want users who build from our source release to get important fixes like this one. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)