From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: phillip.lord@russet.org.uk (Phillip Lord) Newsgroups: gmane.emacs.devel Subject: Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released Date: Thu, 14 Sep 2017 11:05:00 +0100 Message-ID: <87a81xr3xv.fsf@russet.org.uk> References: <87wp55t0un.fsf@petton.fr> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1505383555 14027 195.159.176.226 (14 Sep 2017 10:05:55 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 14 Sep 2017 10:05:55 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) Cc: Nicolas Petton , Emacs Devel To: =?utf-8?Q?Cl=C3=A9ment?= Pit-Claudel Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 14 12:05:50 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dsR1q-0003Vi-G2 for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 12:05:50 +0200 Original-Received: from localhost ([::1]:46753 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsR1x-0006Zo-S4 for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 06:05:57 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33636) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dsR1q-0006Yp-1J for emacs-devel@gnu.org; Thu, 14 Sep 2017 06:05:51 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dsR1m-0000MA-2E for emacs-devel@gnu.org; Thu, 14 Sep 2017 06:05:50 -0400 Original-Received: from cloud103.planethippo.com ([78.129.138.110]:45739) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dsR1l-0008Co-K2 for emacs-devel@gnu.org; Thu, 14 Sep 2017 06:05:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russet.org.uk; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:In-Reply-To:Date:References:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=2sNJ4vKQ/iJZKAZqB0uCYEGQvd2oNYe4ZBre3E+dI20=; b=ahks1HfsIJ0S5g4/y9wEeCpl8w JkX2ki+7Af93V12hwv93yqokJL2/2gHBM0tpQDpxBl2mFYcfPGjmxwssw4EH/TCNVpDM3GvehQ9Zc H1IuB73plhPSFNMwCrun4DNt+qGEFY9gS1JMjxgE7jTEAtly7c6FAD/ImIO68aeqjBSxoy1+cw09/ LOGEzswfkR6SSr2dmYU7hIhPmy6PldSDZ32ku2KMTQbN7YhGbj9Jd/wIU7bOHwRPD0O5LdsZFqgyg rOTL9oiJgeor+4kTtsk3IGFx7ECNbLulF4mSHWRvzpucUNjxsNDwxOT71A4h1rHzZsyoj2eDue7Jo ACUHb6qw==; Original-Received: from [195.99.210.20] (port=34120 helo=russet.org.uk) by cloud103.planethippo.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1dsR14-003mjU-WA; Thu, 14 Sep 2017 10:05:03 +0000 In-Reply-To: (=?utf-8?Q?=22Cl=C3=A9ment?= Pit-Claudel"'s message of "Wed, 13 Sep 2017 01:45:24 +0200") X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cloud103.planethippo.com X-AntiAbuse: Original Domain - gnu.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - russet.org.uk X-Get-Message-Sender-Via: cloud103.planethippo.com: authenticated_id: phillip.lord@russet.org.uk X-Authenticated-Sender: cloud103.planethippo.com: phillip.lord@russet.org.uk X-Source: X-Source-Args: X-Source-Dir: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 78.129.138.110 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:218256 Archived-At: Cl=C3=A9ment Pit-Claudel writes: > On 2017-09-11 22:52, Nicolas Petton wrote: >> This vulnerability was introduced in Emacs 19.29. To work around that >> in Emacs versions before 25.3, append the following to your ~/.emacs >> init file: [...] > > Crazy though: why don't we hot-patch existing Emacs installations? > Concretely, that would mean including that fix in a widely used ELPA > or MELPA package. Then users would get the fix upon the next update. > > In the long run, we could have an emacs-security-patches package on > ELPA that's installed by default, and we could publish security fixes > to that repo. > (We don't currently have this, so we could use another common package > instead for this specific issue) > > Wouldn't this make it much easier to fix vulnerabilities, without > requiring a whole-Emacs update? Putting fixes in another package doesn't make sense. Adding a security-hotfix package to ELPA is simple and easy to do. For future Emacs, it would be possible to do things like auto-install that package. Phil