GNU bug report logs - #28597
26.0.60; [Security] Configure should use --without-pop by default

Previous Next

Package: emacs;

Reported by: nljlistbox2 <at> gmail.com (N. Jackson)

Date: Mon, 25 Sep 2017 15:12:01 UTC

Severity: normal

Found in version 26.0.60

Done: Noam Postavsky <npostavs <at> users.sourceforge.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: nljlistbox2 <at> gmail.com (N. Jackson)
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: John Wiegley <jwiegley <at> gmail.com>, eggert <at> cs.ucla.edu, 28597 <at> debbugs.gnu.org
Subject: bug#28597: 26.0.60; [Security] Configure should use --without-pop by default
Date: Fri, 29 Sep 2017 12:07:14 -0400

At 16:14 +0300 on Friday 2017-09-29, Eli Zaretskii wrote:
>
>> >>>>> Paul Eggert <eggert <at> cs.ucla.edu> writes:
>> 
>> > As Glenn noted, the 'configure' message N. mentions came from
>> > an uneasy compromise between worry about the default
>> > lack-of-security in Emacs, and worry about backward
>> > compatibility (see Bug#26102). Although I favor making
>> > --without-pop the default, at this point it's really an issue
>> > for the two maintainers to decide.
>
> I already agreed in
> http://lists.gnu.org/archive/html/emacs-devel/2017-08/msg00054.html
> to have --without-pop be the default, and Paul already installed
> a patch to do that.

And yet --without-pop does not appear to be the default here on the
emacs-26 branch.

I updated a few minutes ago (commit
61225964edbaa01e49a6e776af00502ab31767b5), and running configure
writes the following to stderr:

  configure: WARNING: Your version of Gtk+ will have problems with
         closing open displays.  This is no problem if you just use
         one display, but if you use more than one and close one of them
         Emacs may crash.
         See http://bugzilla.gnome.org/show_bug.cgi?id=85715
  configure: WARNING: This configuration installs a 'movemail' program
  that retrieves POP3 email via only insecure channels.
  To omit insecure POP3, you can use './configure --without-pop'.

> So I'm confused about this discussion: what exactly is the
> problem, and what needs to be done/decided?

The problem is that --without-pop is not the default, or at least
that it appears that it is not the default. The general agreement
seems to be that it should be the default.

N.
This bug report was last modified 7 years and 223 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.