Re: Request to backport fix for CVE-2022-45939 to Emacs 28

[Lynn Winebarger]

On Tue, Feb 14, 2023 at 12:06 PM Troy Hinckley <comms@dabrev.com> wrote:
>
> If the commit was cherry picked to the emacs-28 branch, does that mean it’s 
> just unreleased changes for Emacs 28? We are building from source, so that 
> might be enough. I didn’t realize cutting a release was high effort.

FWIW, I suspect a lot of users get automated updates from their
packager of choice, whether it's linux distro, Cygwin, MSYS2, or
whatever.  If you look at their source packages, they routinely apply
these kinds of changes as updates to older releases.  Even if you
don't use that packager, you can still use their source package for
Emacs to get a version with the relevant security patches.

This is one of those cases where the practices of proprietary software
vendors and free software diverge.  Proprietary software vendors have
the sole legal right to update their software, so any updates have to
come from them.  WIth free software, many (maybe most) of us get
packages from a redistributor that takes on the responsibility of
providing high-priority fixes for existing installations without
requiring upstream maintainers to create a new release for every such
event, or push such releases out.  It may even be a bit more of a
burden to add an upstream release just for a single improvement.

Lynn