Re: Emacs 28.3 Release

[Jean Louis]

* Troy Hinckley <comms@dabrev.com> [2023-04-10 16:21]:
> Hi Emacs devs,
> I am asking again what we can do to complete the Emacs 28.3 release. My 
> concern is that we have a narrow window in which this version will be viable. 
> As it currently stands the latest stable release has a high severity CVE that 
> prevents Emacs from being installed in security sensitive domains. 28.3 will 
> resolve that and make the latest stable release usable. However, someone will 
> inevitably find another CVE against Emacs. At that point 28.3 will no longer 
> be useful. Given how hard it has been to get this release, I doubt there 
> would be resources to add another security patch to Emacs 28.

Emacs has built-in programming language. Programming languages are not
secure by default. Their purpose is freedom to programmer to do what
programmers wants.

If people on this mailing list would decide, they could file X number
of (not so) common vulnerabilities, though developers are constantly
improving Emacs, not making their reputation by "discovering security
holes". As if focus would be on common vulnerabilities reporting then
those reports would be as great as GNU Emacs bug reports

This means that handling those one or few CVE reports related to Emacs
is only there for cosmetics purposes. It is for the fake image.

Handling few of those CVEs, or removing reports, or closing those
reports, doesn't make Emacs secure for "secure domains" as you
mentioned it.

It is as secure as people who are working with it.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/