From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu Newsgroups: gmane.emacs.devel Subject: Re: Emacs 28.3 Release Date: Mon, 10 Apr 2023 21:50:18 +0800 Message-ID: <87mt3fn8x1.fsf@yahoo.com> References: <9ea47b22-f2d8-4225-b5f2-966ca0d797f9@Spark> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="34136"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: emacs-devel@gnu.org, Eli Zaretskii , Stefan Kangas To: Troy Hinckley Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Apr 10 15:51:57 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1plrw5-0008bb-Cp for ged-emacs-devel@m.gmane-mx.org; Mon, 10 Apr 2023 15:51:57 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1plrvF-0004RZ-Ju; Mon, 10 Apr 2023 09:51:05 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1plrum-0004Ev-Pf for emacs-devel@gnu.org; Mon, 10 Apr 2023 09:50:45 -0400 Original-Received: from sonic305-21.consmr.mail.ne1.yahoo.com ([66.163.185.147]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1plruj-000451-V0 for emacs-devel@gnu.org; Mon, 10 Apr 2023 09:50:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1681134631; bh=5h7UH3Z3dHf5uNwJYaOtd4XrHDBqiLxJRUBst0jP1Bk=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=rDhBQcQ0PCyC7Ze5tqZ7dHzIUyKp6iUupMmFolGV+AyAnYP4cEWlKu6k8e8vWUudropi+CizM82B+gR88e37SiAqF9fxqY3YDpufRjx/15cJOOI+QW+dv3I9cZONUyB82b9wjl4eGim2dpYob0Z3dDBbrJ/u9NNdrAonzTY0hRD+MSD07k74fAhG9rxbe2AFa1h+7EkiWQ+pKSsVsxce2KWpR6ZwGgabXhqJ92sEyeMGDduC6XG/DOHCxNx4o+fqiA449c0fgv853d71nHOas5YV960IAtuvVRflX7G+tfqs26Z7QuExUwbRVCMmKsQB509dWGmsVlZ76OxE0sPJXQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1681134631; bh=fE67LL3h8NeR2BL3H+vR0aKSMcRBEUVzcbw1iOctctO=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=d4tEpCST8UBQr2II50AaCM6Td3qHRAoZJaS5Yyd2OiIXro8IBA94CiwW2OIPhmMPWMIXfwfbUrnKV0ZSMd5FfboSkD12KFBzFynUUQVVEfKy20ahtgmrijXyCSUYriYryiHH+9uv2lsE+ae1RdulVeyFBM0y76KPwsXxdSaJXWVrqmYsIys0zFNrLHbUwW9lYI8YhE4ZaYs6REISDp9tOCrP+6sWTIr8RXJa6/sWKfBe4s/D+FkHhH0FaVBOZw3JEwzqSRq+rRIm69V4y86pxb/5nWjCgrutcg++vJMnupxRhCKqT+89j91WyYkaefBtF31NTiaRiJUhb3DUJ3jKmw== X-YMail-OSG: ug4CRXgVM1mRRSWCM5F4gBAR8FG50jtL_Ohg_dx0.bvp3e4i7egthvGnC8d4nc7 2bqrgFGO3hxbG4z_37cl8AMNYcR7hNu5LBjThYMFCr00E.bWsaGUp3TO5_P70MOGiIDHFX4MHYRR U5sCQNMpr_AD7_YHs4YpPfMACZc9u25_AYw5bUfr9XGLR5cFU9FTwyO9KECFvDWK.mmR6E3WqSpz q_C0Ajbh89tb5KF2jvnUmBYxV0.p3Tw3ZrSDTtLDOzmm1E6JiVJ8rycxRX7G7je5Jz9qTjATO2xs YyRMUK.AUFSzP_Hq5q6Xe_vsIb87aHLDUagWkxL.5Vrboqo6QvndI9tCsn83GU_cIDHGDnvqGkGd w7kOVSKK5y4m5k0.1UnZPpnqn6Ytr4j.eNepS5r__8d9G0YDmuyGQb9PdMEYjbnT_BXw2cdN24n9 9ojluGhbWuH_s6MBB.UalkkBDVQtrff1jC8nmSBXevIjEk7XOdRbmSU98.9NwZjuNBCuCDpGIY_Q X8m2e.q1vYsyowrlYml1IjRs4N3hdT.XKyF0Yv2z0lCATxkJoyFSNh1sAu4R9JztiM6k7dGaWWaU TxDSCCtoGTCzdO5fkfuymOXO1REdQbvU3OAXK1WKohrTyXgYD0wW2anG2q3b_d7lbDJOsh5xE4V8 RoiQvRsL3aw.6m4UyG5mcdCIyhnPeDCDHERS9LzUj4C7tCvjrhmSX6SmIcGOVxGVpez3727yTMpC DaCMomvpE_ah2KntiJO3hw8Fnw8QPzEiQH_jrJXeYFyN8hY5SbP9danUv44DqqSpraiFsi0ayO7G 9usPNnvkhA8WcF6g3qE0QaSjfWPCsrMn_mOB6m78Va X-Sonic-MF: X-Sonic-ID: aca39049-8efb-42bc-bd71-289517f63cdc Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Mon, 10 Apr 2023 13:50:31 +0000 Original-Received: by hermes--production-sg3-6d6fb994f6-7thcs (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID ef1d4b35ef2a4aa8b081a75cd401b9cb; Mon, 10 Apr 2023 13:50:25 +0000 (UTC) In-Reply-To: <9ea47b22-f2d8-4225-b5f2-966ca0d797f9@Spark> (Troy Hinckley's message of "Mon, 10 Apr 2023 08:05:04 -0500") X-Mailer: WebService/1.1.21365 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=66.163.185.147; envelope-from=luangruo@yahoo.com; helo=sonic305-21.consmr.mail.ne1.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:305222 Archived-At: Troy Hinckley writes: > Hi Emacs devs, I am asking again what we can do to complete the Emacs > 28.3 release. My concern is that we have a narrow window in which this > version will be viable. As it currently stands the latest stable > release has a high severity CVE that prevents Emacs from being > installed in security sensitive domains. 28.3 will resolve that and > make the latest stable release usable. However, someone will > inevitably find another CVE against Emacs. At that point 28.3 will no > longer be useful. Given how hard it has been to get this release, I > doubt there would be resources to add another security patch to Emacs > 28. BTW, perhaps you could complain to your employer's security folks about their policies wrt the CVE database, which is actually the computer security circus's system for spreading patent libel against software. You could cite the reasons put forth by the SQLite developers for not taking notice of CVE reports, at http://www.sqlite.org/cves.html: - The developers often do not find out about CVEs until long after the bug is fixed. You can see this by the fact that many CVEs reference the bug fix in their initial report. - CVEs are a low-quality source of information about bugs in SQLite that are likely to affect most applications. - Almost all bugs reported by CVEs are just bugs and not true vulnerabilities. Claiming that they are vulnerabilities is stretching the meaning of the word "vulnerability" and the SQLite developers do not wish to participate in that deception. - The developers have no editorial influence on the content of CVEs, and they do not like to be controlled by groups in which they have no voice.