Re: Emacs security issues; XEmacs affected?
Stephen J. Turnbull wrote:
Mike Kupfer writes:
If you restrict "safe" to "doesn't implicitly execute Lisp code from
the file" in XEmacs's default configuration, as far as I know that's
safe.
Yes, that's safe enough for me.
> Okay, but that's not an argument against patching
vulnerabilities when
> they are discovered.
The argument is (1) patching costs developer effort
I'm motivated to help. If we refuse to apply patches like this, I
expect that my employer will eventually tell me I'm not allowed to run
XEmacs on company systems, and that is something I would regret. (I
don't think my employer is terribly concerned about Emacsen in general.
But the policy seems to be that if a security patch has been issued, it,
or something at least as safe, must be applied.)
and (2) gives
users a false sense of security. These vulnerabilities are introduced
by design; they shouldn't be there at all, at least not in core.
I'm not sure I understand. In some cases the vulnerability may be
deliberate, in other cases it may just be that nobody worked through the
implications. In this case it appears that the upstream developers have
reconsidered an earlier approach and replaced it with something safer.
But
AFAIK they are rarely if ever exploited, so I guess GNU compatibility
comes first.
I'm afraid I don't understand you here.
mike
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta