From: Robert Pluim <rpluim@gmail.com>
To: Eli Zaretskii <eliz@gnu.org>
Cc: jwiegley@gmail.com, eggert@cs.ucla.edu, 28597@debbugs.gnu.org,
nljlistbox2@gmail.com
Subject: bug#28597: 26.0.60; [Security] Configure should use --without-pop by default
Date: Mon, 02 Oct 2017 18:29:13 +0200 [thread overview]
Message-ID: <873771wm1y.fsf@gmail.com> (raw)
In-Reply-To: <87h8vl1db2.fsf@gmail.com> (Robert Pluim's message of "Fri, 29 Sep 2017 22:04:49 +0200")
[-- Attachment #1: Type: text/plain, Size: 1786 bytes --]
Robert Pluim <rpluim@gmail.com> writes:
> No, we don't. I'll see if I can come up with some verbiage over the
> weekend, once I reconfigure my brain to (re-)understand autoconf
Apologies for the delay. Autoconf and I don't get on.
The attached patch against emacs-26 results in the following outputs
at the end of the ./configure run. I'm not sure we should suggest
'--without-pop' when that's the new default, but it's probably best to
be explicit.
---begin---
No mailutils installed, ./configure:
configure: WARNING: This configuration installs a 'movemail' program
that does not support POP3 mail retrieval at all due to lack of
support for secure channels.
You might want to install GNU Mailutils
<http://mailutils.org>
You can use './configure --with-pop',
but this is not recommended.
No mailutils installed, ./configure --with-pop:
configure: WARNING: This configuration installs a 'movemail' program
that retrieves POP3 email via only insecure channels.
To omit insecure POP3, you can use './configure --without-pop'.
With mailutils installed, ./configure --without-mailutils:
configure: WARNING: This configuration installs a 'movemail' program
that does not support POP3 mail retrieval at all due to lack of
support for secure channels.
You can use './configure --without-mailutils --with-pop',
but this is not recommended.
With mailutils installed, ./configure --without-mailutils --with-pop:
configure: WARNING: This configuration installs a 'movemail' program
that retrieves POP3 email via only insecure channels.
To omit insecure POP3, you can use './configure --without-pop'.
With mailutils installed, ./configure --with-pop:
# no output
With mailutils installed, ./configure
# no output
---end---
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Default-to-without-pop.patch --]
[-- Type: text/x-diff, Size: 2948 bytes --]
From 2002807183af9e1c61ecd36bd04c28a269b7a6b5 Mon Sep 17 00:00:00 2001
From: Robert Pluim <rpluim@gmail.com>
Date: Mon, 2 Oct 2017 18:20:58 +0200
Subject: [PATCH] Default to --without-pop
2017-10-02 Robert Pluim <rpluim@gmail.com>
* configure.ac (with_pop): Default to off. Warn loudly when
this results in not supporting insecure POP3.
---
configure.ac | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0b0bb5e144..c692c7a532 100644
--- a/configure.ac
+++ b/configure.ac
@@ -232,9 +232,11 @@ AC_DEFUN
m4_bpatsubst([with_$1], [[^0-9a-z]], [_])=$with_features])dnl
])dnl
-# FIXME: The default options '--without-mailutils --with-pop' result
+# The options '--without-mailutils --with-pop' result
# in a movemail implementation that supports only unencrypted POP3
-# connections. Encrypted connections should be the default.
+# connections, but we warn about that later. By default we
+# do *not* support unencrypted POP3
+# Encrypted connections should be the default.
AC_ARG_WITH([mailutils],
[AS_HELP_STRING([--with-mailutils],
@@ -251,8 +253,8 @@ AC_DEFUN
fi
AC_SUBST([with_mailutils])
-OPTION_DEFAULT_ON([pop],
- [don't support POP mail retrieval with movemail (--without-pop or
+OPTION_DEFAULT_OFF([pop],
+ [support POP mail retrieval with movemail (--without-pop or
--with-mailutils is recommended, as movemail POP is insecure)])
if test "$with_pop" = yes; then
AC_DEFINE(MAIL_USE_POP)
@@ -5566,23 +5568,28 @@ m4_define
if test ! "$with_mailutils"; then
if test "$with_pop" = yes; then
AC_MSG_WARN([This configuration installs a 'movemail' program
-that retrieves POP3 email via only insecure channels.
-To omit insecure POP3, you can use '$0 --without-pop'.])
- fi
-
+ that retrieves POP3 email via only insecure channels.
+ To omit insecure POP3, you can use '$0 --without-pop'.])
+ else
case $opsys in
mingw32)
# Don't suggest GNU Mailutils, as it hasn't been ported.
;;
*)
- emacs_fix_movemail="use '$0 --with-mailutils'"
+ emacs_use_pop="You can use '$0 ${emacs_config_options} --with-pop',
+ but this is not recommended."
case `(movemail --version) 2>/dev/null` in
- *Mailutils*) ;;
- *) emacs_fix_movemail="install GNU Mailutils
-<http://mailutils.org> and $emacs_fix_movemail";;
+ *Mailutils*) emacs_fix_suggestion="$emacs_use_pop";;
+ *) emacs_fix_suggestion="You might want to install GNU Mailutils
+ <http://mailutils.org>
+ $emacs_use_pop";;
esac
- AC_MSG_NOTICE([You might want to $emacs_fix_movemail.]);;
+ AC_MSG_WARN([This configuration installs a 'movemail' program
+ that does not support POP3 mail retrieval at all due to lack of
+ support for secure channels.
+ $emacs_fix_suggestion]);;
esac
+ fi
fi
test "$MAKE" = make || AC_MSG_NOTICE([Now you can run '$MAKE'.])
--
2.14.2.642.g20fed7cad
next prev parent reply other threads:[~2017-10-02 16:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-25 15:11 bug#28597: 26.0.60; [Security] Configure should use --without-pop by default N. Jackson
2017-09-25 15:21 ` John Wiegley
2017-09-26 9:13 ` Robert Pluim
2017-09-26 15:39 ` Glenn Morris
2017-09-26 17:22 ` Paul Eggert
2017-09-26 18:51 ` John Wiegley
2017-09-29 13:14 ` Eli Zaretskii
2017-09-29 14:05 ` Robert Pluim
2017-09-29 17:42 ` Eli Zaretskii
2017-09-29 20:04 ` Robert Pluim
2017-10-02 16:29 ` Robert Pluim [this message]
2017-10-02 18:23 ` Paul Eggert
2017-10-03 8:09 ` Robert Pluim
2017-10-03 14:34 ` Eli Zaretskii
2017-10-03 15:03 ` Robert Pluim
2017-10-03 15:42 ` Eli Zaretskii
2017-10-03 22:47 ` Paul Eggert
2017-10-04 7:14 ` Robert Pluim
2017-10-16 2:34 ` Noam Postavsky
2017-09-29 16:07 ` N. Jackson
2017-09-29 17:53 ` Eli Zaretskii
2017-09-29 18:14 ` N. Jackson
2017-09-29 19:11 ` Eli Zaretskii
2017-10-02 17:22 ` N. Jackson
2017-10-02 17:32 ` Eli Zaretskii
2017-10-02 18:00 ` Paul Eggert
2017-10-02 18:47 ` Eli Zaretskii
2017-10-02 23:20 ` Paul Eggert
2017-10-03 2:29 ` Eli Zaretskii
2017-10-03 14:29 ` N. Jackson
2017-10-03 14:55 ` Robert Pluim
2017-10-03 15:43 ` Eli Zaretskii
2017-10-02 18:00 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=873771wm1y.fsf@gmail.com \
--to=rpluim@gmail.com \
--cc=28597@debbugs.gnu.org \
--cc=eggert@cs.ucla.edu \
--cc=eliz@gnu.org \
--cc=jwiegley@gmail.com \
--cc=nljlistbox2@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.