GNU bug report logs - #28597
26.0.60; [Security] Configure should use --without-pop by default

Previous Next

Package: emacs;

Reported by: nljlistbox2 <at> gmail.com (N. Jackson)

Date: Mon, 25 Sep 2017 15:12:01 UTC

Severity: normal

Found in version 26.0.60

Done: Noam Postavsky <npostavs <at> users.sourceforge.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Robert Pluim <rpluim <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: jwiegley <at> gmail.com, eggert <at> cs.ucla.edu, 28597 <at> debbugs.gnu.org, nljlistbox2 <at> gmail.com
Subject: bug#28597: 26.0.60; [Security] Configure should use --without-pop by default
Date: Mon, 02 Oct 2017 18:29:13 +0200

[Message part 1 (text/plain, inline)]
Robert Pluim <rpluim <at> gmail.com> writes:
> No, we don't. I'll see if I can come up with some verbiage over the
> weekend, once I reconfigure my brain to (re-)understand autoconf

Apologies for the delay. Autoconf and I don't get on.

The attached patch against emacs-26 results in the following outputs
at the end of the ./configure run. I'm not sure we should suggest
'--without-pop' when that's the new default, but it's probably best to
be explicit.


---begin---
No mailutils installed, ./configure:

configure: WARNING: This configuration installs a 'movemail' program
    that does not support POP3 mail retrieval at all due to lack of
    support for secure channels.
    You might want to install GNU Mailutils
    <http://mailutils.org>
    You can use './configure  --with-pop',
    but this is not recommended.

No mailutils installed, ./configure --with-pop:

configure: WARNING: This configuration installs a 'movemail' program
    that retrieves POP3 email via only insecure channels.
    To omit insecure POP3, you can use './configure --without-pop'.

With mailutils installed, ./configure --without-mailutils:

configure: WARNING: This configuration installs a 'movemail' program
    that does not support POP3 mail retrieval at all due to lack of
    support for secure channels.
    You can use './configure --without-mailutils --with-pop',
    but this is not recommended.

With mailutils installed, ./configure --without-mailutils --with-pop:

configure: WARNING: This configuration installs a 'movemail' program
    that retrieves POP3 email via only insecure channels.
    To omit insecure POP3, you can use './configure --without-pop'.

With mailutils installed, ./configure --with-pop:

# no output

With mailutils installed, ./configure

# no output

---end---

[0001-Default-to-without-pop.patch (text/x-diff, inline)]
From 2002807183af9e1c61ecd36bd04c28a269b7a6b5 Mon Sep 17 00:00:00 2001
From: Robert Pluim <rpluim <at> gmail.com>
Date: Mon, 2 Oct 2017 18:20:58 +0200
Subject: [PATCH] Default to --without-pop

2017-10-02  Robert Pluim  <rpluim <at> gmail.com>

	* configure.ac (with_pop): Default to off.  Warn loudly when
	this results in not supporting insecure POP3.
---
 configure.ac | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/configure.ac b/configure.ac
index 0b0bb5e144..c692c7a532 100644
--- a/configure.ac
+++ b/configure.ac
@@ -232,9 +232,11 @@ AC_DEFUN
    m4_bpatsubst([with_$1], [[^0-9a-z]], [_])=$with_features])dnl
 ])dnl
 
-# FIXME: The default options '--without-mailutils --with-pop' result
+# The options '--without-mailutils --with-pop' result
 # in a movemail implementation that supports only unencrypted POP3
-# connections.  Encrypted connections should be the default.
+# connections, but we warn about that later. By default we
+# do *not* support unencrypted POP3
+# Encrypted connections should be the default.
 
 AC_ARG_WITH([mailutils],
   [AS_HELP_STRING([--with-mailutils],
@@ -251,8 +253,8 @@ AC_DEFUN
 fi
 AC_SUBST([with_mailutils])
 
-OPTION_DEFAULT_ON([pop],
-  [don't support POP mail retrieval with movemail (--without-pop or
+OPTION_DEFAULT_OFF([pop],
+  [support POP mail retrieval with movemail (--without-pop or
    --with-mailutils is recommended, as movemail POP is insecure)])
 if test "$with_pop" = yes; then
    AC_DEFINE(MAIL_USE_POP)
@@ -5566,23 +5568,28 @@ m4_define
 if test ! "$with_mailutils"; then
   if test "$with_pop" = yes; then
     AC_MSG_WARN([This configuration installs a 'movemail' program
-that retrieves POP3 email via only insecure channels.
-To omit insecure POP3, you can use '$0 --without-pop'.])
-  fi
-
+    that retrieves POP3 email via only insecure channels.
+    To omit insecure POP3, you can use '$0 --without-pop'.])
+  else
   case $opsys in
     mingw32)
       # Don't suggest GNU Mailutils, as it hasn't been ported.
       ;;
     *)
-      emacs_fix_movemail="use '$0 --with-mailutils'"
+      emacs_use_pop="You can use '$0 ${emacs_config_options} --with-pop',
+    but this is not recommended."
       case `(movemail --version) 2>/dev/null` in
-	*Mailutils*) ;;
-	*) emacs_fix_movemail="install GNU Mailutils
-<http://mailutils.org> and $emacs_fix_movemail";;
+	*Mailutils*) emacs_fix_suggestion="$emacs_use_pop";;
+	*) emacs_fix_suggestion="You might want to install GNU Mailutils
+    <http://mailutils.org>
+    $emacs_use_pop";;
       esac
-      AC_MSG_NOTICE([You might want to $emacs_fix_movemail.]);;
+      AC_MSG_WARN([This configuration installs a 'movemail' program
+    that does not support POP3 mail retrieval at all due to lack of
+    support for secure channels.
+    $emacs_fix_suggestion]);;
   esac
+  fi
 fi
 
 test "$MAKE" = make || AC_MSG_NOTICE([Now you can run '$MAKE'.])
-- 
2.14.2.642.g20fed7cad
This bug report was last modified 7 years and 223 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.