Re: [ANNOUNCE] Emacs 25.3 released

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ANNOUNCE] Emacs 25.3 released

From:	Eli Zaretskii
Subject:	Re: [ANNOUNCE] Emacs 25.3 released
Date:	Wed, 13 Sep 2017 18:57:55 +0300

> From: Mike Gerwitz <address@hidden>
> Cc: address@hidden, Andreas Schwab <address@hidden>,  address@hidden,  
> address@hidden
> Date: Wed, 13 Sep 2017 11:12:49 -0400
> 
> Also, the tarball was uploaded to ftp.gnu.org, and signed.  Uploading to
> ftp.gnu.org itself requires the request to be signed with a GPG key
> registered on Savannah.[0]  This level of security is greater and more
> formal than repository commits/tags.

Indeed.

> If someone's system were compromised to the point of being able to
> successfully upload to ftp.gnu.org, chances are that they'll be able to
> forge a commit to the repository as well.

Before the announcement went out, the tarball was downloaded from
ftp.gnu.org to 3 different machines by 2 different people, built on
all 3 machines independently, and the build verified to not have the
vulnerability which Emacs 25.3 was supposed to fix.  I think this made
the possibility of tampering negligibly small, if not strictly zero.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [ANNOUNCE] Emacs 25.3 released, (continued)
- Re: [ANNOUNCE] Emacs 25.3 released, Philippe Vaucher, 2017/09/12
  - Re: [ANNOUNCE] Emacs 25.3 released, Paul Eggert, 2017/09/12

Prev by Date: Re: [Emacs-diffs] master 5d4c539: Add lcms2 interface
Next by Date: Re: [Emacs-diffs] master 5d4c539: Add lcms2 interface
Previous by thread: Re: [ANNOUNCE] Emacs 25.3 released
Next by thread: Re: [ANNOUNCE] Emacs 25.3 released
Index(es):
- Date
- Thread