From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: Re: Emacs 28.3 Release Date: Tue, 11 Apr 2023 11:14:14 +0300 Message-ID: References: <9ea47b22-f2d8-4225-b5f2-966ca0d797f9@Spark> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="32099"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.2.9+54 (af2080d) (2022-11-21) Cc: emacs-devel@gnu.org, Eli Zaretskii , Stefan Kangas To: Troy Hinckley Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Apr 11 10:16:28 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pm9Aw-00084z-G3 for ged-emacs-devel@m.gmane-mx.org; Tue, 11 Apr 2023 10:16:26 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pm9A4-0002V9-DR; Tue, 11 Apr 2023 04:15:32 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pm99s-0002UP-6I for emacs-devel@gnu.org; Tue, 11 Apr 2023 04:15:27 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pm99p-0002sG-K2; Tue, 11 Apr 2023 04:15:19 -0400 Original-Received: from localhost ([::ffff:197.239.5.123]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 00000000000F5D4D.00000000643516F6.00007BE9; Tue, 11 Apr 2023 01:14:46 -0700 Mail-Followup-To: Troy Hinckley , emacs-devel@gnu.org, Eli Zaretskii , Stefan Kangas Content-Disposition: inline In-Reply-To: <9ea47b22-f2d8-4225-b5f2-966ca0d797f9@Spark> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SBL=0.141, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:305234 Archived-At: * Troy Hinckley [2023-04-10 16:21]: > Hi Emacs devs, > I am asking again what we can do to complete the Emacs 28.3 release. My concern is that we have a narrow window in which this version will be viable. As it currently stands the latest stable release has a high severity CVE that prevents Emacs from being installed in security sensitive domains. 28.3 will resolve that and make the latest stable release usable. However, someone will inevitably find another CVE against Emacs. At that point 28.3 will no longer be useful. Given how hard it has been to get this release, I doubt there would be resources to add another security patch to Emacs 28. Emacs has built-in programming language. Programming languages are not secure by default. Their purpose is freedom to programmer to do what programmers wants. If people on this mailing list would decide, they could file X number of (not so) common vulnerabilities, though developers are constantly improving Emacs, not making their reputation by "discovering security holes". As if focus would be on common vulnerabilities reporting then those reports would be as great as GNU Emacs bug reports This means that handling those one or few CVE reports related to Emacs is only there for cosmetics purposes. It is for the fake image. Handling few of those CVEs, or removing reports, or closing those reports, doesn't make Emacs secure for "secure domains" as you mentioned it. It is as secure as people who are working with it. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/