GNU bug report logs - #74413
[PATCH] Allow to store and read repository information of VCS builds

Previous Next

Package: emacs;

Reported by: Björn Bidar <bjorn.bidar <at> thaodan.de>

Date: Mon, 18 Nov 2024 08:19:02 UTC

Severity: wishlist

Tags: patch, wontfix

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Björn Bidar <bjorn.bidar <at> thaodan.de>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: luangruo <at> yahoo.com, 74413 <at> debbugs.gnu.org, Stefan Kangas <stefankangas <at> gmail.com>
Subject: bug#74413: [PATCH] Allow to store and read repository information of VCS builds
Date: Tue, 19 Nov 2024 18:16:28 +0200

Eli Zaretskii <eliz <at> gnu.org> writes:

>> From: Stefan Kangas <stefankangas <at> gmail.com>
>> Date: Mon, 18 Nov 2024 18:48:31 -0500
>> Cc: luangruo <at> yahoo.com, 74413 <at> debbugs.gnu.org
>> 
>> Eli Zaretskii <eliz <at> gnu.org> writes:
>> 
>> > The branch name could be private.
>> >
>> > Stefan, WDYT about this feature suggestion?
>> 
>> The privacy risk here is that if a user is building their own private
>> branch, announcing the sha or branch name to the world can be used to
>> uniquely identify that user.  It would be a serious privacy issue if we,
>> for example, included that information in User-Agent headers sent by EWW
>> or other kinds of network traffic.  AFAIK, we don't do that.
>> 
>> IIUC, we use this information only when submitting bug reports.  I think
>> this is harmless, if we assume privacy threat models where it can also
>> be considered safe to report bugs.  The few users that have more strict
>> privacy requirements, and are eager to report bugs, will just have to
>> think about this detail themselves; it's a rather specialized use case.
>
> AFAIU, the intent is to use this for more than just bug reporting.

Where could leak the feature information? If it could it should be
adjusted as well for the Android builds.

>> I don't fully understand how you can have a situation where you can get
>> this information in the Makefile, but you can't also get it when dumping
>> using `emacs-repository-get-version` and `emacs-repository-get-branch`
>> (lisp/loadup.el:474).  Could you please elaborate on this?
>
> Yes, I still don't understand the utility of this feature, since it
> needs Git for producing the information in the file.

As explained Git doesn't have to be installed using that feature on the
machine that executes the built Emacs or on the builder.

The feature is the same as for the Android builds just for other
platforms, the reasons are the same as for Android.
This bug report was last modified 156 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.