From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Ulrich Mueller <ulm@gentoo.org>
Newsgroups: gmane.emacs.devel
Subject: Re: [ANNOUNCE] Emacs 25.3 released
Date: Thu, 14 Sep 2017 08:37:18 +0200
Message-ID: <22970.9118.120245.720675@a1i15.kph.uni-mainz.de>
References: <87wp55t0un.fsf@petton.fr> <87tw07kikp.fsf@gnu.org>
	<fe468b42-e9db-5667-aea2-93ae558e8f5e@cs.ucla.edu>
	<4431.25452.741228.22968@gargle.gargle.HOWL>
	<E1dsAhR-00019D-IN@fencepost.gnu.org>
	<22969.34976.706874.350971@a1i15.kph.uni-mainz.de>
	<E1dsJAx-0006ho-V6@fencepost.gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Trace: blaine.gmane.org 1505371056 4684 195.159.176.226 (14 Sep 2017 06:37:36 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 14 Sep 2017 06:37:36 +0000 (UTC)
Cc: eggert@cs.ucla.edu, winkler@gnu.org, emacs-devel@gnu.org
To: rms@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 14 08:37:29 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dsNmD-00017S-CR
	for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 08:37:29 +0200
Original-Received: from localhost ([::1]:45973 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dsNmK-0000Mx-Fe
	for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 02:37:36 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:45404)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ulm@gentoo.org>) id 1dsNmC-0000Mq-Qs
	for emacs-devel@gnu.org; Thu, 14 Sep 2017 02:37:29 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ulm@gentoo.org>) id 1dsNm8-0001xu-TK
	for emacs-devel@gnu.org; Thu, 14 Sep 2017 02:37:28 -0400
Original-Received: from woodpecker.gentoo.org ([2001:470:ea4a:1:5054:ff:fec7:86e4]:39447
	helo=smtp.gentoo.org)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <ulm@gentoo.org>)
	id 1dsNm8-0001ws-Mt; Thu, 14 Sep 2017 02:37:24 -0400
Original-Received: from a1i15.kph.uni-mainz.de (host2092.kph.uni-mainz.de
	[134.93.134.92])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested) (Authenticated sender: ulm)
	by smtp.gentoo.org (Postfix) with ESMTPSA id D08AE33BE69;
	Thu, 14 Sep 2017 06:37:21 +0000 (UTC)
In-Reply-To: <E1dsJAx-0006ho-V6@fencepost.gnu.org>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2001:470:ea4a:1:5054:ff:fec7:86e4
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218254
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218254>

>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:

>> Please don't. That would break the download for distros who rely on
>> pristine upstream sources and apply separate patches. For example,
>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>> enriched-mode).

> So how do we inform people not to download the broken versions?

Bugs (security or other) happen all the time, so most old versions
will be broken in some way. In spite of that, I am not aware of any
project that is renaming its old tarballs.

It is also not the first time there is a security bug in GNU Emacs
(although it's been a while since the last one). A quick search shows
CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
tramp.el. No renaming of tarballs took place, neither for that issue
(which affected Emacs 24.3) nor for any previous ones.

I would also assume that users will generally download only the latest
version of any given software, and that they are aware that old
versions can contain bugs.

> If Gentoo will have a patch to fix that version,
> can't the same patch put in the new file name of that version?

Sure, we could update the filename in our ebuild. Which would mean
more work though. We have some 19000 packages in the distro, and
there's other work to do than monitoring if upstream tarballs have
been renamed.

Ulrich