[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Emacs 25.3 released
From: |
Etienne Prud’homme |
Subject: |
Re: Emacs 25.3 released |
Date: |
Thu, 14 Sep 2017 09:24:16 -0400 |
User-agent: |
Emacs/25.2 (gnu/linux) |
Ulrich Mueller <address@hidden> writes:
>>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:
>
>>> Please don't. That would break the download for distros who rely on
>>> pristine upstream sources and apply separate patches. For example,
>>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>>> enriched-mode).
>
>> So how do we inform people not to download the broken versions?
>
> Bugs (security or other) happen all the time, so most old versions
> will be broken in some way. In spite of that, I am not aware of any
> project that is renaming its old tarballs.
>
> It is also not the first time there is a security bug in GNU Emacs
> (although it's been a while since the last one). A quick search shows
> CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
> of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
> tramp.el. No renaming of tarballs took place, neither for that issue
> (which affected Emacs 24.3) nor for any previous ones.
>
> I would also assume that users will generally download only the latest
> version of any given software, and that they are aware that old
> versions can contain bugs.
>
>> If Gentoo will have a patch to fix that version,
>> can't the same patch put in the new file name of that version?
>
> Sure, we could update the filename in our ebuild. Which would mean
> more work though. We have some 19000 packages in the distro, and
> there's other work to do than monitoring if upstream tarballs have
> been renamed.
>
> Ulrich
Was there any fix for older version than 24?
Maybe we could patch older versions too. I think it might be helpful to
setup a critical update mechanism. By that I mean patching every
versions affected automatically with the semantic version system
(increment by 0.0.1 for bug fixes). By the way, are tarballs
automatically generated? If not, would it be hard to implement?
ps: I’m grateful for petton’s work and not trying to minimize what he
did.
--
Etienne
- Re: [ANNOUNCE] Emacs 25.3 released, (continued)
- Re: [ANNOUNCE] Emacs 25.3 released, Paul Eggert, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Roland Winkler, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Eli Zaretskii, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Paul Eggert, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Eli Zaretskii, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Nicolas Petton, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Richard Stallman, 2017/09/13
- Re: [ANNOUNCE] Emacs 25.3 released, Ulrich Mueller, 2017/09/13
- Re: [ANNOUNCE] Emacs 25.3 released, Richard Stallman, 2017/09/13
- Re: [ANNOUNCE] Emacs 25.3 released, Ulrich Mueller, 2017/09/14
- Re: Emacs 25.3 released,
Etienne Prud’homme <=
- Re: Emacs 25.3 released, Nicolas Petton, 2017/09/14
- Re: [ANNOUNCE] Emacs 25.3 released, Richard Stallman, 2017/09/14
Re: [ANNOUNCE] Emacs 25.3 released, Eli Zaretskii, 2017/09/12
Re: [ANNOUNCE] Emacs 25.3 released, Phillip Lord, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Stefan Monnier, 2017/09/12
- security-patches package (was: [ANNOUNCE] Emacs 25.3 released), Ted Zlatanov, 2017/09/14
- Re: security-patches package, Stefan Monnier, 2017/09/15
- Re: security-patches package, Ted Zlatanov, 2017/09/16
- Re: security-patches package, Phillip Lord, 2017/09/21
- Re: security-patches package, Stefan Monnier, 2017/09/21