From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Tue, 06 Jan 2015 23:27:03 -0500 Message-ID: References: <7H65S0MOziz4Z4bzCiATJJDvxaiWHmPOI3K95M87DGM@local> Reply-To: rms@gnu.org NNTP-Posting-Host: plane.gmane.org Content-Type: text/plain; charset=Utf-8 X-Trace: ger.gmane.org 1420604916 14155 80.91.229.3 (7 Jan 2015 04:28:36 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 7 Jan 2015 04:28:36 +0000 (UTC) Cc: 19479@debbugs.gnu.org To: Kelly Dean Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Jan 07 05:28:30 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y8iE2-0002zx-W4 for geb-bug-gnu-emacs@m.gmane.org; Wed, 07 Jan 2015 05:28:07 +0100 Original-Received: from localhost ([::1]:39226 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8iE2-0001or-FZ for geb-bug-gnu-emacs@m.gmane.org; Tue, 06 Jan 2015 23:28:06 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49135) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8iDz-0001ol-8g for bug-gnu-emacs@gnu.org; Tue, 06 Jan 2015 23:28:04 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y8iDx-0004eC-W5 for bug-gnu-emacs@gnu.org; Tue, 06 Jan 2015 23:28:03 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:57955) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8iDx-0004dy-U2 for bug-gnu-emacs@gnu.org; Tue, 06 Jan 2015 23:28:01 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y8iDx-0003t8-Jj for bug-gnu-emacs@gnu.org; Tue, 06 Jan 2015 23:28:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Richard Stallman Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 07 Jan 2015 04:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.142060482614871 (code B ref 19479); Wed, 07 Jan 2015 04:28:01 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 7 Jan 2015 04:27:06 +0000 Original-Received: from localhost ([127.0.0.1]:39086 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y8iD4-0003rm-5S for submit@debbugs.gnu.org; Tue, 06 Jan 2015 23:27:06 -0500 Original-Received: from fencepost.gnu.org ([208.118.235.10]:53088) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y8iD2-0003rf-Tv for 19479@debbugs.gnu.org; Tue, 06 Jan 2015 23:27:05 -0500 Original-Received: from rms by fencepost.gnu.org with local (Exim 4.71) (envelope-from ) id 1Y8iD1-0006ot-QC; Tue, 06 Jan 2015 23:27:03 -0500 In-reply-to: <7H65S0MOziz4Z4bzCiATJJDvxaiWHmPOI3K95M87DGM@local> (message from Kelly Dean on Tue, 06 Jan 2015 06:38:12 +0000) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:98080 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > If you expect him to know the latest version number of a package > (without relying on the gnu.org webserver to find out, in case > it's compromised), It is normal for users to find the latest version based on gnu.org. So we don't expect that. > and you expect him to manually verify that his download is the > latest version (in addition to verifying the signature, of > course), The file name has the version in it. So it seems we have a problem to fix. Would you like to help us fix it? -- Dr Richard Stallman President, Free Software Foundation 51 Franklin St Boston MA 02110 USA www.fsf.org www.gnu.org Skype: No way! That's nonfree (freedom-denying) software. Use Ekiga or an ordinary phone call.