emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released


From: Phillip Lord
Subject: Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released
Date: Thu, 14 Sep 2017 11:05:00 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Clément Pit-Claudel <address@hidden> writes:

> On 2017-09-11 22:52, Nicolas Petton wrote:
>> This vulnerability was introduced in Emacs 19.29.  To work around that
>> in Emacs versions before 25.3, append the following to your ~/.emacs
>> init file: [...]
>
> Crazy though: why don't we hot-patch existing Emacs installations?
> Concretely, that would mean including that fix in a widely used ELPA
> or MELPA package. Then users would get the fix upon the next update.
>
> In the long run, we could have an emacs-security-patches package on
> ELPA that's installed by default, and we could publish security fixes
> to that repo.
> (We don't currently have this, so we could use another common package
> instead for this specific issue)
>
> Wouldn't this make it much easier to fix vulnerabilities, without
> requiring a whole-Emacs update?


Putting fixes in another package doesn't make sense. Adding a
security-hotfix package to ELPA is simple and easy to do. For future
Emacs, it would be possible to do things like auto-install that package.

Phil



reply via email to

[Prev in Thread] Current Thread [Next in Thread]