[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Emacs 28.3 Release
|
From: |
Po Lu |
|
Subject: |
Re: Emacs 28.3 Release |
|
Date: |
Mon, 10 Apr 2023 21:50:18 +0800 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Troy Hinckley <comms@dabrev.com> writes:
> Hi Emacs devs, I am asking again what we can do to complete the Emacs
> 28.3 release. My concern is that we have a narrow window in which this
> version will be viable. As it currently stands the latest stable
> release has a high severity CVE that prevents Emacs from being
> installed in security sensitive domains. 28.3 will resolve that and
> make the latest stable release usable. However, someone will
> inevitably find another CVE against Emacs. At that point 28.3 will no
> longer be useful. Given how hard it has been to get this release, I
> doubt there would be resources to add another security patch to Emacs
> 28.
BTW, perhaps you could complain to your employer's security folks about
their policies wrt the CVE database, which is actually the computer
security circus's system for spreading patent libel against software.
You could cite the reasons put forth by the SQLite developers for not
taking notice of CVE reports, at http://www.sqlite.org/cves.html:
- The developers often do not find out about CVEs until long after the
bug is fixed. You can see this by the fact that many CVEs reference
the bug fix in their initial report.
- CVEs are a low-quality source of information about bugs in SQLite
that are likely to affect most applications.
- Almost all bugs reported by CVEs are just bugs and not true
vulnerabilities. Claiming that they are vulnerabilities is
stretching the meaning of the word "vulnerability" and the SQLite
developers do not wish to participate in that deception.
- The developers have no editorial influence on the content of CVEs,
and they do not like to be controlled by groups in which they have
no voice.