[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs 28.3 Release

From: Po Lu
Subject: Re: Emacs 28.3 Release
Date: Mon, 10 Apr 2023 21:50:18 +0800
User-agent: Gnus/5.13 (Gnus v5.13)

Troy Hinckley <comms@dabrev.com> writes:

> Hi Emacs devs, I am asking again what we can do to complete the Emacs
> 28.3 release. My concern is that we have a narrow window in which this
> version will be viable. As it currently stands the latest stable
> release has a high severity CVE that prevents Emacs from being
> installed in security sensitive domains. 28.3 will resolve that and
> make the latest stable release usable. However, someone will
> inevitably find another CVE against Emacs. At that point 28.3 will no
> longer be useful. Given how hard it has been to get this release, I
> doubt there would be resources to add another security patch to Emacs
> 28.

BTW, perhaps you could complain to your employer's security folks about
their policies wrt the CVE database, which is actually the computer
security circus's system for spreading patent libel against software.

You could cite the reasons put forth by the SQLite developers for not
taking notice of CVE reports, at http://www.sqlite.org/cves.html:

  - The developers often do not find out about CVEs until long after the
    bug is fixed. You can see this by the fact that many CVEs reference
    the bug fix in their initial report.

  - CVEs are a low-quality source of information about bugs in SQLite
    that are likely to affect most applications.

  - Almost all bugs reported by CVEs are just bugs and not true
    vulnerabilities. Claiming that they are vulnerabilities is
    stretching the meaning of the word "vulnerability" and the SQLite
    developers do not wish to participate in that deception.

  - The developers have no editorial influence on the content of CVEs,
    and they do not like to be controlled by groups in which they have
    no voice.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]