From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: =?utf-8?Q?Etienne_Prud=E2=80=99homme?= <e.e.f.prudhomme@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: Emacs 25.3 released
Date: Thu, 14 Sep 2017 09:24:16 -0400
Message-ID: <87ingle7lr.fsf@x230.lts>
References: <87wp55t0un.fsf@petton.fr> <87tw07kikp.fsf@gnu.org>
	<fe468b42-e9db-5667-aea2-93ae558e8f5e@cs.ucla.edu>
	<4431.25452.741228.22968@gargle.gargle.HOWL>
	<E1dsAhR-00019D-IN@fencepost.gnu.org>
	<22969.34976.706874.350971@a1i15.kph.uni-mainz.de>
	<E1dsJAx-0006ho-V6@fencepost.gnu.org>
	<22970.9118.120245.720675@a1i15.kph.uni-mainz.de>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: blaine.gmane.org 1505395496 22102 195.159.176.226 (14 Sep 2017 13:24:56 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 14 Sep 2017 13:24:56 +0000 (UTC)
User-Agent: Emacs/25.2 (gnu/linux)
Cc: eggert@cs.ucla.edu, emacs-devel@gnu.org, rms@gnu.org, winkler@gnu.org
To: Ulrich Mueller <ulm@gentoo.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Sep 14 15:24:45 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dsU8L-0005IX-8P
	for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 15:24:45 +0200
Original-Received: from localhost ([::1]:47793 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dsU8N-0006Iz-Jh
	for ged-emacs-devel@m.gmane.org; Thu, 14 Sep 2017 09:24:47 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58168)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <e.e.f.prudhomme@gmail.com>) id 1dsU89-0006IW-Am
	for emacs-devel@gnu.org; Thu, 14 Sep 2017 09:24:37 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <e.e.f.prudhomme@gmail.com>) id 1dsU83-0007jg-E6
	for emacs-devel@gnu.org; Thu, 14 Sep 2017 09:24:33 -0400
Original-Received: from mail-qt0-x231.google.com ([2607:f8b0:400d:c0d::231]:49974)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <e.e.f.prudhomme@gmail.com>)
	id 1dsU7x-0007fX-NK; Thu, 14 Sep 2017 09:24:21 -0400
Original-Received: by mail-qt0-x231.google.com with SMTP id f24so186639qte.6;
	Thu, 14 Sep 2017 06:24:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:references:date:in-reply-to:message-id
	:user-agent:mime-version:content-transfer-encoding;
	bh=iNPumIufEbetOjrLgS+NnSQcfUSd0x8xpxJBjLz/Fzo=;
	b=Y583OBL5Nq+hSTUqQ7Lx6oU9Pu+9DwaLfl2b7hxp1+vqetPqNLz3GRDsNeKvo5GrnQ
	i1ZxVObtCdZip2MzWf9J7NLLso7f0HgKHhZVB4H5NeGqtHz5sF4aWRNESzTVzXVVWQ4D
	nMnaHWUY+ipL3fuf2gFWZ7PRA1tjiifYxNvSYMPvy5HPFyAW6pM879cdcSsZNAwH2QqU
	VJTEn9nIkYfGqFiCnRwtcnNGq+Sju8JWck1RH99jnUG4R2lV8ohYdsiKgrlYJDl8nl8Z
	hNEMAmDWW9UaP/xv8EBU3ZBIXRahXga4mMsQiDkc0kKpgr4eO5pcXTo87pDnMuD0pSk3
	k74A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
	:message-id:user-agent:mime-version:content-transfer-encoding;
	bh=iNPumIufEbetOjrLgS+NnSQcfUSd0x8xpxJBjLz/Fzo=;
	b=UFQa9YO6NiQuD2p2D/XmPZesiG2iBBMhZj6yMB7e3e5JaQlcwloAbNRGSqctTr+buC
	nz9w+2GOIe5tKGh4Bk9XgTUCKPgJOeIr7LwaFUnEBishhomDUutd7y3rTckwzDUwg+Nh
	U+RITNR6DrFPmspwCltVzeN2JKS+JYH8jxLD4kqQV6X4RaZ3Q0l+63RjU69bYZpwkxVe
	uN5LRhfZYmFg4E3hQ+rIHpIOCgoOWdKypjL4dR9rkMDGvMdLasWYzpZ1WV1qJjqBaKUN
	mHncoar+fUFlFXw1+fy/No88ytw24HBszdJLANbiNp6sgLhKjBHdVDQoqv1f6bnuw5WR
	bIFw==
X-Gm-Message-State: AHPjjUj7GALSgrJx6lMtcQk3tgVa01n7lE61LdByzLeNu9f9I6QKZIdJ
	4PTogpgmFkT/6g==
X-Google-Smtp-Source: AOwi7QAfeQeXeRVgeLJqbcwJEL7tlbI4JfSuagKSJkpo79MjdF4Cq+mrKmPog2QGpOLtoN0xtL2drg==
X-Received: by 10.200.24.187 with SMTP id s56mr13985353qtj.64.1505395458692;
	Thu, 14 Sep 2017 06:24:18 -0700 (PDT)
Original-Received: from localhost (modemcable232.49-20-96.mc.videotron.ca.
	[96.20.49.232]) by smtp.gmail.com with ESMTPSA id
	n50sm11501892qtc.6.2017.09.14.06.24.17
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 14 Sep 2017 06:24:17 -0700 (PDT)
In-Reply-To: <22970.9118.120245.720675@a1i15.kph.uni-mainz.de> (Ulrich
	Mueller's message of "Thu, 14 Sep 2017 08:37:18 +0200")
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:400d:c0d::231
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:218264
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/218264>

Ulrich Mueller <ulm@gentoo.org> writes:

>>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:
>
>>> Please don't. That would break the download for distros who rely on
>>> pristine upstream sources and apply separate patches. For example,
>>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>>> enriched-mode).
>
>> So how do we inform people not to download the broken versions?
>
> Bugs (security or other) happen all the time, so most old versions
> will be broken in some way. In spite of that, I am not aware of any
> project that is renaming its old tarballs.
>
> It is also not the first time there is a security bug in GNU Emacs
> (although it's been a while since the last one). A quick search shows
> CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
> of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
> tramp.el. No renaming of tarballs took place, neither for that issue
> (which affected Emacs 24.3) nor for any previous ones.
>
> I would also assume that users will generally download only the latest
> version of any given software, and that they are aware that old
> versions can contain bugs.
>
>> If Gentoo will have a patch to fix that version,
>> can't the same patch put in the new file name of that version?
>
> Sure, we could update the filename in our ebuild. Which would mean
> more work though. We have some 19000 packages in the distro, and
> there's other work to do than monitoring if upstream tarballs have
> been renamed.
>
> Ulrich

Was there any fix for older version than 24?

Maybe we could patch older versions too.  I think it might be helpful to
setup a critical update mechanism.  By that I mean patching every
versions affected automatically with the semantic version system
(increment by 0.0.1 for bug fixes).  By the way, are tarballs
automatically generated?  If not, would it be hard to implement?

ps: I=E2=80=99m grateful for petton=E2=80=99s work and not trying to minimi=
ze what he
did.

--
Etienne