[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ANNOUNCE] Emacs 25.3 released

From: Ulrich Mueller
Subject: Re: [ANNOUNCE] Emacs 25.3 released
Date: Thu, 14 Sep 2017 08:37:18 +0200

>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:

>> Please don't. That would break the download for distros who rely on
>> pristine upstream sources and apply separate patches. For example,
>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>> enriched-mode).

> So how do we inform people not to download the broken versions?

Bugs (security or other) happen all the time, so most old versions
will be broken in some way. In spite of that, I am not aware of any
project that is renaming its old tarballs.

It is also not the first time there is a security bug in GNU Emacs
(although it's been a while since the last one). A quick search shows
CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
tramp.el. No renaming of tarballs took place, neither for that issue
(which affected Emacs 24.3) nor for any previous ones.

I would also assume that users will generally download only the latest
version of any given software, and that they are aware that old
versions can contain bugs.

> If Gentoo will have a patch to fix that version,
> can't the same patch put in the new file name of that version?

Sure, we could update the filename in our ebuild. Which would mean
more work though. We have some 19000 packages in the distro, and
there's other work to do than monitoring if upstream tarballs have
been renamed.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]