GNU bug report logs - #33587
[PROPOSED] Default to disabling ImageMagick

Previous Next

Package: emacs;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Sun, 2 Dec 2018 18:10:02 UTC

Severity: normal

Tags: security

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

Message #34 received at 33587 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: David Engster <deng <at> randomsample.de>
Cc: Paul Eggert <eggert <at> cs.ucla.edu>, 33587 <at> debbugs.gnu.org
Subject: Re: bug#33587: [PROPOSED] Default to disabling ImageMagick
Date: Tue, 04 Dec 2018 12:00:48 -0500

David Engster wrote:

> Question is: will disabling Imagemagick by default also have an impact
> on how Emacs is shipped in distributions?

I don't know. It depends whether they go with the default configure
options or not.

> I don't think so, at least as long as they don't drop Imagemagick
> completely.

Note that Red Hat Enterprise Linux 8 _will_ drop ImageMagick completely
(though it will probably be available from an add-on repository),
presumably because they don't feel able to keep up with the security
issues. That's what prompted me to first raise this in

http://lists.gnu.org/r/emacs-devel/2018-12/msg00036.html

> If for instance Debian has to take care of Imagemagick security issues
> anyway, why shouldn't Emacs link to it?

(For reference:
https://security-tracker.debian.org/tracker/source-package/imagemagick )

Because one can never guarantee all security issues are fixed, and if a
project has a history of having a lot of them, it may be considered
likely to be insecure. Also there are the various Emacs crash reports
due to ImageMagick.
This bug report was last modified 6 years and 69 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.