[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ANNOUNCE] Emacs 25.3 released
From: |
Ulrich Mueller |
Subject: |
Re: [ANNOUNCE] Emacs 25.3 released |
Date: |
Thu, 14 Sep 2017 08:37:18 +0200 |
>>>>> On Wed, 13 Sep 2017, Richard Stallman wrote:
>> Please don't. That would break the download for distros who rely on
>> pristine upstream sources and apply separate patches. For example,
>> Gentoo still has packages app-editors/emacs-23.4-r16 and
>> app-editors/emacs-24.5-r4 (of course, both *with* the fix for
>> enriched-mode).
> So how do we inform people not to download the broken versions?
Bugs (security or other) happen all the time, so most old versions
will be broken in some way. In spite of that, I am not aware of any
project that is renaming its old tarballs.
It is also not the first time there is a security bug in GNU Emacs
(although it's been a while since the last one). A quick search shows
CVE-2014-3421, -3422, -3423, and -3424 concerning insecure handling
of temporary files in gnus-fun.el, find-gc.el, browse-url.el, and
tramp.el. No renaming of tarballs took place, neither for that issue
(which affected Emacs 24.3) nor for any previous ones.
I would also assume that users will generally download only the latest
version of any given software, and that they are aware that old
versions can contain bugs.
> If Gentoo will have a patch to fix that version,
> can't the same patch put in the new file name of that version?
Sure, we could update the filename in our ebuild. Which would mean
more work though. We have some 19000 packages in the distro, and
there's other work to do than monitoring if upstream tarballs have
been renamed.
Ulrich
- Re: [ANNOUNCE] Emacs 25.3 released, (continued)
- Re: [ANNOUNCE] Emacs 25.3 released, Roland Winkler, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Paul Eggert, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Roland Winkler, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Eli Zaretskii, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Paul Eggert, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Eli Zaretskii, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Nicolas Petton, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Richard Stallman, 2017/09/13
- Re: [ANNOUNCE] Emacs 25.3 released, Ulrich Mueller, 2017/09/13
- Re: [ANNOUNCE] Emacs 25.3 released, Richard Stallman, 2017/09/13
- Re: [ANNOUNCE] Emacs 25.3 released,
Ulrich Mueller <=
- Re: Emacs 25.3 released, Etienne Prud’homme, 2017/09/14
- Re: Emacs 25.3 released, Nicolas Petton, 2017/09/14
- Re: [ANNOUNCE] Emacs 25.3 released, Richard Stallman, 2017/09/14
Re: [ANNOUNCE] Emacs 25.3 released, Eli Zaretskii, 2017/09/12
Re: [ANNOUNCE] Emacs 25.3 released, Phillip Lord, 2017/09/12
- Re: [ANNOUNCE] Emacs 25.3 released, Stefan Monnier, 2017/09/12
- security-patches package (was: [ANNOUNCE] Emacs 25.3 released), Ted Zlatanov, 2017/09/14
- Re: security-patches package, Stefan Monnier, 2017/09/15
- Re: security-patches package, Ted Zlatanov, 2017/09/16
- Re: security-patches package, Phillip Lord, 2017/09/21