bug#19479: Package manager vulnerable

[Kelly Dean]

Glenn Morris wrote:
> I appreciate the spirit of wanting to provide a patch, but unless you
> have changed your position on the Emacs copyright assignment, I don't
> see that this patch can be used by Emacs.

I did do what you requested: submit a bug report, but not a patch. But this 
isn't just a bug; it's a security vulnerability, and Stefan invited me to 
submit a patch to fix it. So then I did.

Regarding the copyright issue, please don't conflate two separate issues like 
your copyright clerk tried to.

The first issue is: does the FSF want any more public domain code in Emacs than 
is already there? The answer is ‟no”, as explained by Donald R Robertson III, 
your copyright clerk, on February 19, 2013. When explaining why the FSF 
wouldn't accept my PD code, he wrote, ‟It really is more beneficial for our 
enforcement efforts if we get the work assigned instead of 'disclaimed'. We 
will only accept a disclaimer instead of an assignment in particular 
circumstances.”

Of course, he's right; PD code isn't useful for your enforcement efforts, but 
it's absurd to say it's an issue for my patches, which even including this 
latest one, amount to no more than a few parts per million of the Emacs code 
base. Obviously it doesn't hurt your efforts; no copyright judge is going to 
care if Emacs has a few lines of Hamlet or any other PD information in it. The 
judge will let you sue people for GPL violations just the same.

Anyway, the first issue is clear: new PD code is unwelcome in Emacs. Emacs is 
your project, not mine, so regardless of how silly I think your exclusion of PD 
code is, I abided (and still abide) by your wishes. I submitted this patch 
because Stefan invited me to. Maybe Stefan just forgot that you asked me not to 
submit any more patches, but I assumed he invited this patch because a security 
vulnerability counted as a ‟particular circumstance” that your copyright clerk 
mentioned.

The second issue is: is my code in the public domain? The answer is ‟yes”; the 
author of SQLite says that's PD, and it is, the author of Qmail says that's PD, 
and it is, and I'm simply doing the same thing they are. My code is in the 
public domain. If you want, I can PGP-sign and publish on my website a 
statement that my patches are PD, even though that's more than the authors of 
SQLite and Qmail deemed necessary for their code.

Your clerk wrote, ‟placing a work in the public domain is difficult/may not be 
possible”. But that's obviously false, as proven by his statement that you do 
(sometimes) accept disclaimers, and as proven by the general legal acceptance 
of other people's statements that their work is PD, including highly respected 
authors such as Richard Hipp.

It's clear that the second issue is not an issue, especially in the United 
States, which is where I am, and the only purpose served by the FSF bringing it 
up is clouding the first issue, which is the only real issue.

I recommend not rejecting a patch to fix a security vulnerability just for the 
sake of keeping 29 lines of new PD code out of Emacs. If it really is too much 
PD code, then I recommend deleting feedmail.el (PD) to compensate.