GNU bug report logs - #28597
26.0.60; [Security] Configure should use --without-pop by default

Previous Next

Package: emacs;

Reported by: nljlistbox2 <at> gmail.com (N. Jackson)

Date: Mon, 25 Sep 2017 15:12:01 UTC

Severity: normal

Found in version 26.0.60

Done: Noam Postavsky <npostavs <at> users.sourceforge.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: nljlistbox2 <at> gmail.com (N. Jackson)
Cc: jwiegley <at> gmail.com, rpluim <at> gmail.com, eggert <at> cs.ucla.edu, 28597 <at> debbugs.gnu.org
Subject: bug#28597: 26.0.60; [Security] Configure should use --without-pop by default
Date: Mon, 02 Oct 2017 20:32:37 +0300

> From: nljlistbox2 <at> gmail.com (N. Jackson)
> Cc: jwiegley <at> gmail.com,  eggert <at> cs.ucla.edu,  28597 <at> debbugs.gnu.org, Robert Pluim <rpluim <at> gmail.com>
> Date: Mon, 02 Oct 2017 13:22:01 -0400
> 
> >> There's nothing terribly odd about my system and if the warning
> >> message from config is true, then _by default_ I'm going to get
> >> built an insecure Emacs.
> >
> > Only if you use POP3 to fetch your mail.
> 
> This raised a question in my mind (which has probably already
> been considered and dealt with). When a user has an Emacs that's
> configured to use an insecure movemail for POP3, when they issue a
> command in Emacs that invokes it, do they get a warning from
> Emacs?

No, they don't.  But POP3 is not something movemail will silently use
by itself, the user needs to specify a POP3 "url", referencing the
server and the user's id (and possibly a password as well) for it to
do so.  So the user who does that _knows_ they use POP3.  IOW, a
deliberate user action is needed for POP3 to be used.

> Given that many users don't build their own Emacs, they'll not see
> a warning from configure, so it would seem sensible for them to be
> warned at run time. (Given that they won't want to be plagued with
> a warning every time they check their mail, I'm thinking of a
> warning that appears when a relevant command it used for the first
> time, similar to the way disabled commands work.)

We also don't warn them when they use HTTP or FTP from Emacs, on the
assumption that users know what they are doing.  There's a limit to
our ability to nag users in order to save them from themselves.  At
some point, we need to start treating them as responsible adults, IMO.
This bug report was last modified 7 years and 223 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.