From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.bugs Subject: bug#28597: 26.0.60; [Security] Configure should use --without-pop by default Date: Mon, 02 Oct 2017 18:29:13 +0200 Message-ID: <873771wm1y.fsf@gmail.com> References: <837ewh8x5z.fsf@gnu.org> <87r2upd2h5.fsf@gmail.com> <83a81d7666.fsf@gnu.org> <87h8vl1db2.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: blaine.gmane.org 1506961817 571 195.159.176.226 (2 Oct 2017 16:30:17 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 2 Oct 2017 16:30:17 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) Cc: jwiegley@gmail.com, eggert@cs.ucla.edu, 28597@debbugs.gnu.org, nljlistbox2@gmail.com To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Oct 02 18:30:10 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dz3be-0007hC-9b for geb-bug-gnu-emacs@m.gmane.org; Mon, 02 Oct 2017 18:30:10 +0200 Original-Received: from localhost ([::1]:53313 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dz3bi-0004AE-NS for geb-bug-gnu-emacs@m.gmane.org; Mon, 02 Oct 2017 12:30:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36088) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dz3ba-00049o-CG for bug-gnu-emacs@gnu.org; Mon, 02 Oct 2017 12:30:09 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dz3bX-0004cM-5R for bug-gnu-emacs@gnu.org; Mon, 02 Oct 2017 12:30:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:35735) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dz3bX-0004az-27 for bug-gnu-emacs@gnu.org; Mon, 02 Oct 2017 12:30:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dz3bW-0005jm-Mk for bug-gnu-emacs@gnu.org; Mon, 02 Oct 2017 12:30:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Robert Pluim Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 02 Oct 2017 16:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28597 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 28597-submit@debbugs.gnu.org id=B28597.150696177621974 (code B ref 28597); Mon, 02 Oct 2017 16:30:02 +0000 Original-Received: (at 28597) by debbugs.gnu.org; 2 Oct 2017 16:29:36 +0000 Original-Received: from localhost ([127.0.0.1]:44414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dz3b3-0005iH-2z for submit@debbugs.gnu.org; Mon, 02 Oct 2017 12:29:36 -0400 Original-Received: from mail-wm0-f46.google.com ([74.125.82.46]:56944) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dz3ax-0005i0-Lb for 28597@debbugs.gnu.org; Mon, 02 Oct 2017 12:29:31 -0400 Original-Received: by mail-wm0-f46.google.com with SMTP id e195so7995705wma.5 for <28597@debbugs.gnu.org>; Mon, 02 Oct 2017 09:29:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:gmane-reply-to-list:date:in-reply-to :message-id:user-agent:mime-version; bh=AnlWAhZEXV8mqJS8+w4CZFTeU/+YERrN3QGDmi5ayds=; b=bloszhhcuDtt8ghnouk1WHcsjA6p1TI0ZHvvNVg3C/KeWq20ceTcB/TwjSNQZktq5j ESEGtLEWWhHgY7dDrBJfV5krz+Py7DYfJQ8A2PzfYg9Ub/iJXmSuJNrTVYSHgtSaAhv8 elllScFW36bZgBc9SQFYbCoNfaPfaxJleQNITGwMSPGfY6yNP6BAlcaN5fryV0yuPNsA X82IrJ0/aN0DVbsS3Hu5WQr7HpU0CHiFzArC+ivnPe1F6WVXf0t9OUpEEGz8k6Sw2KEh j/9Kj8Jr3zTALvBrwCsUP3Za/5ehdy77qR5K2roB0ZaGCixwk2mgYD0lkTyIdB88TLWj Trqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version; bh=AnlWAhZEXV8mqJS8+w4CZFTeU/+YERrN3QGDmi5ayds=; b=eBt/VnFMAoxHWY2JMaQFTYmw/RZFbhboWViCdvbcnFeq2uTAdgbKngTHbWNjKpBA/T dfnlWV1W5h/bSn5TH6jC8kPrzd7SqXlTXu7Uuze7tinsaOPLCUNlJKyrb8mQahMumTMS OMHRKu7k6qnIbYB/OOjVnSyU0VJ3naAuxVC4yUYcwTB8mcEpFP7/ZeAXHg07p2epuDpf 9QtaXu03FZPgJUz1RHaOBv+Kv3KE+QEwPgKoge9mIpenrocPU/LvRQLLRhdwrdFujjHG QHY3aFm9vm/8ymwXnJK37SqAwe75BF/SWe6kdJcgb3ZquqHIusx/4ODkfO/qRmuRBmvr p4Yg== X-Gm-Message-State: AMCzsaWBF1YN0QNKMAb4+/a4DGDy5w1aCqj8Xyd+6LKgfD0OXnF8Rvo3 j4UH2Yid7waJhus4rz9//4k= X-Google-Smtp-Source: AOwi7QC3Wc6eJMhV7xhlZKBJkLL+Dq382+OLdTU0cvafXHRWWtEBbsNReJZJrZABRvdzJpHlmIdU0w== X-Received: by 10.28.165.212 with SMTP id o203mr5528652wme.68.1506961761769; Mon, 02 Oct 2017 09:29:21 -0700 (PDT) Original-Received: from rpluim-ubuntu ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id p15sm4925621wmi.2.2017.10.02.09.29.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Oct 2017 09:29:20 -0700 (PDT) Gmane-Reply-To-List: yes In-Reply-To: <87h8vl1db2.fsf@gmail.com> (Robert Pluim's message of "Fri, 29 Sep 2017 22:04:49 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:137788 Archived-At: --=-=-= Content-Type: text/plain Robert Pluim writes: > No, we don't. I'll see if I can come up with some verbiage over the > weekend, once I reconfigure my brain to (re-)understand autoconf Apologies for the delay. Autoconf and I don't get on. The attached patch against emacs-26 results in the following outputs at the end of the ./configure run. I'm not sure we should suggest '--without-pop' when that's the new default, but it's probably best to be explicit. ---begin--- No mailutils installed, ./configure: configure: WARNING: This configuration installs a 'movemail' program that does not support POP3 mail retrieval at all due to lack of support for secure channels. You might want to install GNU Mailutils You can use './configure --with-pop', but this is not recommended. No mailutils installed, ./configure --with-pop: configure: WARNING: This configuration installs a 'movemail' program that retrieves POP3 email via only insecure channels. To omit insecure POP3, you can use './configure --without-pop'. With mailutils installed, ./configure --without-mailutils: configure: WARNING: This configuration installs a 'movemail' program that does not support POP3 mail retrieval at all due to lack of support for secure channels. You can use './configure --without-mailutils --with-pop', but this is not recommended. With mailutils installed, ./configure --without-mailutils --with-pop: configure: WARNING: This configuration installs a 'movemail' program that retrieves POP3 email via only insecure channels. To omit insecure POP3, you can use './configure --without-pop'. With mailutils installed, ./configure --with-pop: # no output With mailutils installed, ./configure # no output ---end--- --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-Default-to-without-pop.patch >From 2002807183af9e1c61ecd36bd04c28a269b7a6b5 Mon Sep 17 00:00:00 2001 From: Robert Pluim Date: Mon, 2 Oct 2017 18:20:58 +0200 Subject: [PATCH] Default to --without-pop 2017-10-02 Robert Pluim * configure.ac (with_pop): Default to off. Warn loudly when this results in not supporting insecure POP3. --- configure.ac | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac index 0b0bb5e144..c692c7a532 100644 --- a/configure.ac +++ b/configure.ac @@ -232,9 +232,11 @@ AC_DEFUN m4_bpatsubst([with_$1], [[^0-9a-z]], [_])=$with_features])dnl ])dnl -# FIXME: The default options '--without-mailutils --with-pop' result +# The options '--without-mailutils --with-pop' result # in a movemail implementation that supports only unencrypted POP3 -# connections. Encrypted connections should be the default. +# connections, but we warn about that later. By default we +# do *not* support unencrypted POP3 +# Encrypted connections should be the default. AC_ARG_WITH([mailutils], [AS_HELP_STRING([--with-mailutils], @@ -251,8 +253,8 @@ AC_DEFUN fi AC_SUBST([with_mailutils]) -OPTION_DEFAULT_ON([pop], - [don't support POP mail retrieval with movemail (--without-pop or +OPTION_DEFAULT_OFF([pop], + [support POP mail retrieval with movemail (--without-pop or --with-mailutils is recommended, as movemail POP is insecure)]) if test "$with_pop" = yes; then AC_DEFINE(MAIL_USE_POP) @@ -5566,23 +5568,28 @@ m4_define if test ! "$with_mailutils"; then if test "$with_pop" = yes; then AC_MSG_WARN([This configuration installs a 'movemail' program -that retrieves POP3 email via only insecure channels. -To omit insecure POP3, you can use '$0 --without-pop'.]) - fi - + that retrieves POP3 email via only insecure channels. + To omit insecure POP3, you can use '$0 --without-pop'.]) + else case $opsys in mingw32) # Don't suggest GNU Mailutils, as it hasn't been ported. ;; *) - emacs_fix_movemail="use '$0 --with-mailutils'" + emacs_use_pop="You can use '$0 ${emacs_config_options} --with-pop', + but this is not recommended." case `(movemail --version) 2>/dev/null` in - *Mailutils*) ;; - *) emacs_fix_movemail="install GNU Mailutils - and $emacs_fix_movemail";; + *Mailutils*) emacs_fix_suggestion="$emacs_use_pop";; + *) emacs_fix_suggestion="You might want to install GNU Mailutils + + $emacs_use_pop";; esac - AC_MSG_NOTICE([You might want to $emacs_fix_movemail.]);; + AC_MSG_WARN([This configuration installs a 'movemail' program + that does not support POP3 mail retrieval at all due to lack of + support for secure channels. + $emacs_fix_suggestion]);; esac + fi fi test "$MAKE" = make || AC_MSG_NOTICE([Now you can run '$MAKE'.]) -- 2.14.2.642.g20fed7cad --=-=-=--