[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19479: Package manager vulnerable
From: |
Kelly Dean |
Subject: |
bug#19479: Package manager vulnerable |
Date: |
Thu, 08 Jan 2015 05:29:44 +0000 |
Glenn Morris wrote:
> I appreciate the spirit of wanting to provide a patch, but unless you
> have changed your position on the Emacs copyright assignment, I don't
> see that this patch can be used by Emacs.
I did do what you requested: submit a bug report, but not a patch. But this
isn't just a bug; it's a security vulnerability, and Stefan invited me to
submit a patch to fix it. So then I did.
Regarding the copyright issue, please don't conflate two separate issues like
your copyright clerk tried to.
The first issue is: does the FSF want any more public domain code in Emacs than
is already there? The answer is ‟no”, as explained by Donald R Robertson III,
your copyright clerk, on February 19, 2013. When explaining why the FSF
wouldn't accept my PD code, he wrote, ‟It really is more beneficial for our
enforcement efforts if we get the work assigned instead of 'disclaimed'. We
will only accept a disclaimer instead of an assignment in particular
circumstances.”
Of course, he's right; PD code isn't useful for your enforcement efforts, but
it's absurd to say it's an issue for my patches, which even including this
latest one, amount to no more than a few parts per million of the Emacs code
base. Obviously it doesn't hurt your efforts; no copyright judge is going to
care if Emacs has a few lines of Hamlet or any other PD information in it. The
judge will let you sue people for GPL violations just the same.
Anyway, the first issue is clear: new PD code is unwelcome in Emacs. Emacs is
your project, not mine, so regardless of how silly I think your exclusion of PD
code is, I abided (and still abide) by your wishes. I submitted this patch
because Stefan invited me to. Maybe Stefan just forgot that you asked me not to
submit any more patches, but I assumed he invited this patch because a security
vulnerability counted as a ‟particular circumstance” that your copyright clerk
mentioned.
The second issue is: is my code in the public domain? The answer is ‟yes”; the
author of SQLite says that's PD, and it is, the author of Qmail says that's PD,
and it is, and I'm simply doing the same thing they are. My code is in the
public domain. If you want, I can PGP-sign and publish on my website a
statement that my patches are PD, even though that's more than the authors of
SQLite and Qmail deemed necessary for their code.
Your clerk wrote, ‟placing a work in the public domain is difficult/may not be
possible”. But that's obviously false, as proven by his statement that you do
(sometimes) accept disclaimers, and as proven by the general legal acceptance
of other people's statements that their work is PD, including highly respected
authors such as Richard Hipp.
It's clear that the second issue is not an issue, especially in the United
States, which is where I am, and the only purpose served by the FSF bringing it
up is clouding the first issue, which is the only real issue.
I recommend not rejecting a patch to fix a security vulnerability just for the
sake of keeping 29 lines of new PD code out of Emacs. If it really is too much
PD code, then I recommend deleting feedmail.el (PD) to compensate.
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/01
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/04
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/04
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/04
- bug#19479: [PATCH] Re: bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/07
- bug#19479: [PATCH] Re: bug#19479: Package manager vulnerable, Glenn Morris, 2015/01/07
- bug#19479: Package manager vulnerable,
Kelly Dean <=
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/08
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/08
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/08
- bug#19479: Copyright issue (was: Re: bug#19479: Package manager vulnerable), Kelly Dean, 2015/01/09
- bug#19479: Copyright issue, Stefan Monnier, 2015/01/09
- bug#19479: Copyright issue, David Kastrup, 2015/01/09
- bug#19479: Copyright issue, Kelly Dean, 2015/01/09
- bug#19479: Copyright issue, Kelly Dean, 2015/01/09
- bug#19479: Copyright issue, Stefan Monnier, 2015/01/09
- bug#19479: Copyright issue, Kelly Dean, 2015/01/09