From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Lynn Winebarger Newsgroups: gmane.emacs.devel Subject: Re: Request to backport fix for CVE-2022-45939 to Emacs 28 Date: Thu, 16 Feb 2023 20:44:33 -0500 Message-ID: References: <85f35c42-cfe8-44a7-a9c1-307acc5c17d4@Spark> <09998122-0110-454f-94d1-e29c37b833f4@Spark> <83sff9e1is.fsf@gnu.org> <838rh0e64j.fsf@gnu.org> <1a08b002-890e-40dc-9ff1-35f61d8c5e41@Spark> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27080"; mail-complaints-to="usenet@ciao.gmane.io" Cc: lux , Eli Zaretskii , emacs-devel@gnu.org To: Troy Hinckley Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Feb 17 02:45:42 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pSpok-0006t4-5N for ged-emacs-devel@m.gmane-mx.org; Fri, 17 Feb 2023 02:45:42 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pSpnu-0005qH-D6; Thu, 16 Feb 2023 20:44:50 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSpns-0005q1-Np for emacs-devel@gnu.org; Thu, 16 Feb 2023 20:44:48 -0500 Original-Received: from mail-pg1-x52c.google.com ([2607:f8b0:4864:20::52c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pSpnq-0001W1-Px; Thu, 16 Feb 2023 20:44:48 -0500 Original-Received: by mail-pg1-x52c.google.com with SMTP id x31so2390805pgl.6; Thu, 16 Feb 2023 17:44:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=p06kWnucqTNicg7GrBB1f1LN34RxCv9vjZQefLzR1gQ=; b=JKNB66lsoeymDEkCwyx7H3iQhugWwXFDMn5PyE2Pm8n23CHhyWB3rPXUsXZiXANxfO ncJ2IWO+JoNrvwvp5dK6p6ll5dgEXJWghQXLLbUEg3bjii5GsMRmgPxqCwCW7gdX0V5K fcTaXfodN2pRovJEDPMJSiRKxe6v9VwWlsrYlYS7AEzOpWOmVTRku+7RPwlX1FoBoEsM 8MSSxsbYxElGh/AJnrbCrcKIumNO6ghsL/cPciZROAAQkueO8IOMsofAKKQi/kmTytjz U3K/ji7LLQYDwUubGFQMWyYGp3wUGZdvI2VQAnScxbnxVo78ckqBMH1nkn70hlCi9YeR Nkqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p06kWnucqTNicg7GrBB1f1LN34RxCv9vjZQefLzR1gQ=; b=6uQxxbfo6HTQUAtlyuB3zRuFRRYjfv/VzXcTVYV0tZwP1YKI+CnVXXnupZIZvkvNR4 SbsBD0WT8QHbd506s7ar45e3WkGdJ0rwsycvbyhGkSF4u4+zHchQh82kpzUh5E7EKGRw YynCAogxarOtvffqro84ihrF7Mb5NRGJ10q3g6/iro8locJ47auBc2kR57dn3l3ybOEh OXRJGnYJ6pSijbW0Ws68i8c6+MKy9AKHfl5zg+srWGMg9qZA+sS9pmHa8vVCDU9h3swk vhquCtT/rPihxcSnCzsjU0pFAQ+1j39/+je7ekMLH8tnDQH8w05DL1bxLdSToJ5/U01o peww== X-Gm-Message-State: AO0yUKXSxa7Ih6XASJqaO+roWe4s6yhxd2sCVN0pU114+8NOmZt9N46a tCYy3bXeWEcUqqsfMWeXnrn7OknghXL8q1m1r+I= X-Google-Smtp-Source: AK7set+Rob4T5C4FuherMWHhkT89Rx2FTn3MZyKei0pLD+bge96Cp/aK/TNzISYStkib1Vg0mvuVaXhARI7KLabY7ag= X-Received: by 2002:a62:82c5:0:b0:590:3182:8248 with SMTP id w188-20020a6282c5000000b0059031828248mr44939pfd.4.1676598284809; Thu, 16 Feb 2023 17:44:44 -0800 (PST) In-Reply-To: <1a08b002-890e-40dc-9ff1-35f61d8c5e41@Spark> Received-SPF: pass client-ip=2607:f8b0:4864:20::52c; envelope-from=owinebar@gmail.com; helo=mail-pg1-x52c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303445 Archived-At: On Tue, Feb 14, 2023 at 12:06 PM Troy Hinckley wrote: > > If the commit was cherry picked to the emacs-28 branch, does that mean it= =E2=80=99s just unreleased changes for Emacs 28? We are building from sourc= e, so that might be enough. I didn=E2=80=99t realize cutting a release was = high effort. FWIW, I suspect a lot of users get automated updates from their packager of choice, whether it's linux distro, Cygwin, MSYS2, or whatever. If you look at their source packages, they routinely apply these kinds of changes as updates to older releases. Even if you don't use that packager, you can still use their source package for Emacs to get a version with the relevant security patches. This is one of those cases where the practices of proprietary software vendors and free software diverge. Proprietary software vendors have the sole legal right to update their software, so any updates have to come from them. WIth free software, many (maybe most) of us get packages from a redistributor that takes on the responsibility of providing high-priority fixes for existing installations without requiring upstream maintainers to create a new release for every such event, or push such releases out. It may even be a bit more of a burden to add an upstream release just for a single improvement. Lynn