Re: Hotfixing older Emacsen? Was: [ANNOUNCE] Emacs 25.3 released

[Phillip Lord]

Clément Pit-Claudel <address@hidden> writes:

> On 2017-09-11 22:52, Nicolas Petton wrote:
>> This vulnerability was introduced in Emacs 19.29.  To work around that
>> in Emacs versions before 25.3, append the following to your ~/.emacs
>> init file: [...]
>
> Crazy though: why don't we hot-patch existing Emacs installations?
> Concretely, that would mean including that fix in a widely used ELPA
> or MELPA package. Then users would get the fix upon the next update.
>
> In the long run, we could have an emacs-security-patches package on
> ELPA that's installed by default, and we could publish security fixes
> to that repo.
> (We don't currently have this, so we could use another common package
> instead for this specific issue)
>
> Wouldn't this make it much easier to fix vulnerabilities, without
> requiring a whole-Emacs update?


Putting fixes in another package doesn't make sense. Adding a
security-hotfix package to ELPA is simple and easy to do. For future
Emacs, it would be possible to do things like auto-install that package.

Phil