[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#28597: 26.0.60; [Security] Configure should use --without-pop by def
From: |
Robert Pluim |
Subject: |
bug#28597: 26.0.60; [Security] Configure should use --without-pop by default |
Date: |
Mon, 02 Oct 2017 18:29:13 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) |
Robert Pluim <rpluim@gmail.com> writes:
> No, we don't. I'll see if I can come up with some verbiage over the
> weekend, once I reconfigure my brain to (re-)understand autoconf
Apologies for the delay. Autoconf and I don't get on.
The attached patch against emacs-26 results in the following outputs
at the end of the ./configure run. I'm not sure we should suggest
'--without-pop' when that's the new default, but it's probably best to
be explicit.
---begin---
No mailutils installed, ./configure:
configure: WARNING: This configuration installs a 'movemail' program
that does not support POP3 mail retrieval at all due to lack of
support for secure channels.
You might want to install GNU Mailutils
<http://mailutils.org>
You can use './configure --with-pop',
but this is not recommended.
No mailutils installed, ./configure --with-pop:
configure: WARNING: This configuration installs a 'movemail' program
that retrieves POP3 email via only insecure channels.
To omit insecure POP3, you can use './configure --without-pop'.
With mailutils installed, ./configure --without-mailutils:
configure: WARNING: This configuration installs a 'movemail' program
that does not support POP3 mail retrieval at all due to lack of
support for secure channels.
You can use './configure --without-mailutils --with-pop',
but this is not recommended.
With mailutils installed, ./configure --without-mailutils --with-pop:
configure: WARNING: This configuration installs a 'movemail' program
that retrieves POP3 email via only insecure channels.
To omit insecure POP3, you can use './configure --without-pop'.
With mailutils installed, ./configure --with-pop:
# no output
With mailutils installed, ./configure
# no output
---end---
>From 2002807183af9e1c61ecd36bd04c28a269b7a6b5 Mon Sep 17 00:00:00 2001
From: Robert Pluim <rpluim@gmail.com>
Date: Mon, 2 Oct 2017 18:20:58 +0200
Subject: [PATCH] Default to --without-pop
2017-10-02 Robert Pluim <rpluim@gmail.com>
* configure.ac (with_pop): Default to off. Warn loudly when
this results in not supporting insecure POP3.
---
configure.ac | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0b0bb5e144..c692c7a532 100644
--- a/configure.ac
+++ b/configure.ac
@@ -232,9 +232,11 @@ AC_DEFUN
m4_bpatsubst([with_$1], [[^0-9a-z]], [_])=$with_features])dnl
])dnl
-# FIXME: The default options '--without-mailutils --with-pop' result
+# The options '--without-mailutils --with-pop' result
# in a movemail implementation that supports only unencrypted POP3
-# connections. Encrypted connections should be the default.
+# connections, but we warn about that later. By default we
+# do *not* support unencrypted POP3
+# Encrypted connections should be the default.
AC_ARG_WITH([mailutils],
[AS_HELP_STRING([--with-mailutils],
@@ -251,8 +253,8 @@ AC_DEFUN
fi
AC_SUBST([with_mailutils])
-OPTION_DEFAULT_ON([pop],
- [don't support POP mail retrieval with movemail (--without-pop or
+OPTION_DEFAULT_OFF([pop],
+ [support POP mail retrieval with movemail (--without-pop or
--with-mailutils is recommended, as movemail POP is insecure)])
if test "$with_pop" = yes; then
AC_DEFINE(MAIL_USE_POP)
@@ -5566,23 +5568,28 @@ m4_define
if test ! "$with_mailutils"; then
if test "$with_pop" = yes; then
AC_MSG_WARN([This configuration installs a 'movemail' program
-that retrieves POP3 email via only insecure channels.
-To omit insecure POP3, you can use '$0 --without-pop'.])
- fi
-
+ that retrieves POP3 email via only insecure channels.
+ To omit insecure POP3, you can use '$0 --without-pop'.])
+ else
case $opsys in
mingw32)
# Don't suggest GNU Mailutils, as it hasn't been ported.
;;
*)
- emacs_fix_movemail="use '$0 --with-mailutils'"
+ emacs_use_pop="You can use '$0 ${emacs_config_options} --with-pop',
+ but this is not recommended."
case `(movemail --version) 2>/dev/null` in
- *Mailutils*) ;;
- *) emacs_fix_movemail="install GNU Mailutils
-<http://mailutils.org> and $emacs_fix_movemail";;
+ *Mailutils*) emacs_fix_suggestion="$emacs_use_pop";;
+ *) emacs_fix_suggestion="You might want to install GNU Mailutils
+ <http://mailutils.org>
+ $emacs_use_pop";;
esac
- AC_MSG_NOTICE([You might want to $emacs_fix_movemail.]);;
+ AC_MSG_WARN([This configuration installs a 'movemail' program
+ that does not support POP3 mail retrieval at all due to lack of
+ support for secure channels.
+ $emacs_fix_suggestion]);;
esac
+ fi
fi
test "$MAKE" = make || AC_MSG_NOTICE([Now you can run '$MAKE'.])
--
2.14.2.642.g20fed7cad
- bug#28597: 26.0.60; [Security] Configure should use --without-pop by default,
Robert Pluim <=