GNU bug report logs - #28597
26.0.60; [Security] Configure should use --without-pop by default

Previous Next

Package: emacs;

Reported by: nljlistbox2 <at> gmail.com (N. Jackson)

Date: Mon, 25 Sep 2017 15:12:01 UTC

Severity: normal

Found in version 26.0.60

Done: Noam Postavsky <npostavs <at> users.sourceforge.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: nljlistbox2 <at> gmail.com, rpluim <at> gmail.com, 28597 <at> debbugs.gnu.org, jwiegley <at> gmail.com
Subject: bug#28597: 26.0.60; [Security] Configure should use --without-pop by default
Date: Mon, 2 Oct 2017 16:20:26 -0700

On 10/02/2017 11:47 AM, Eli Zaretskii wrote:

> nagging users each time they invoke movemail to fetch via POP3 is
> IMO unacceptable.

Yes, that suggestion is problematic. But that (older) discussion is 
somewhat independent of the current thread, which is about builders and 
installers more than it is about users.

> we also use an encrypted POP3 connection
> _if_it's_available_, e.g. via Mailutils, Gnus, etc.

The concern here is about RMAIL, which currently uses Emacs movemail in 
the all-too-common case where Mailutils is not installed. In emacs-26 
the relevant section of the Emacs manual (doc/emacs/rmail.texi) says for 
the pop: protocol: "If the server supports it, ‘movemail’ tries to use 
an encrypted connection—use the ‘pops’ form to require one." This 
documents 'pop:' as meaning "encrypt if the server supports encryption, 
otherwise fall back on unencrypted", which is a natural expectation for 
users nowadays and is how Thunderbird works by default; but it's not how 
RMAIL works with Emacs movemail and 'pop:', as these connections are 
always unencrypted.

> I think we've cut enough slices of this salami, so let's stop,

Does this mean, stop before installing the patch proposed in 
Bug#28597#62, or stop after installing that patch? I hope it means the 
latter. That patch attempts to implement your suggestion in 
Bug#28597#32, as quoted below:

> > From: Robert Pluim <rpluim <at> gmail.com> ...
> > 
> > I thought we were discussing making --without-pop be the default even
> > if GNU Mailutils are not available, and it's what I'm
> > advocating. Paul's patch only did that if they were found.
>
> If that's what people want, fine with me on Posix platforms, but not
> on MS-Windows (where Mailutils are not available, and probably never
> will be).
This bug report was last modified 7 years and 223 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.