Re: Request to backport fix for CVE-2022-45939 to Emacs 28

[Eli Zaretskii]

> From: Tim Cross <theophilusx@gmail.com>
> Cc: lux <lx@shellcodes.org>, comms@dabrev.com, emacs-devel@gnu.org
> Date: Wed, 15 Feb 2023 07:10:58 +1100
> 
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > But that is not what the OP requested: he requested that we also
> > produce an Emacs 28.3 release.  And that is a much larger job, for
> > which we currently don't have the time or resources.
> 
> While I understand the resourcing issues, I think this is the wrong
> decision. We are in the situation where the current released version of
> Emacs has a known security exploit with a severity classification of
> high (although this assessment seems to be under review) and the
> response seems to be "Sorry, we are too busy trying to get the next
> version released to deal with this". If we were actually close to an
> Emacs 29 release, then perhaps this would be reasonable, but we don't
> even have a release candidate out yet.
> 
> Failing to address a high security vulnerability for months is a
> disservice for the emacs user base and likely to be a blight on Emacs'
> reputation and only provides those against free software with free
> ammunition. In addition to the technical aspects of a security
> vulnerability, perception is just as important. While the specific
> technical aspects of this vulnerability would seem to indicate only a
> subset of etags users are actually exposed to this risk, such detail is
> likely to be lost amongst the FUD which tends to accompany security
> issues. 

Would you like to work on preparing an Emacs 28.3 tarball?  The
instructions are in admin/make-tarball.txt and a couple of additional
files to which it points.

TIA