2

I am trying to make the case to my employer that updating from Emacs 24.3 to Emacs 24.5 is the right thing to do. The (understandable) justification for sticking with version 24.3 is that it is supported and configured by the OS vendor (CentOS), and as such, it will receive security updates, etc.

My argument is that once 24.4 was released, 24.3 reached the end of its support, and all future updates would be updates to the latest version. I found the following paragraph in the GNU Emacs FAQ, but I'm not sure that it clearly supports or refutes this claim.

A version number with two components (e.g., ‘22.1’) indicates a released version; three components indicate a development version (e.g., ‘23.0.50’ is what will eventually become ‘23.1’).

My question then is this: Will Emacs 24.3 ever receive security updates in the future? (or updates of any kind for that matter.)

Dan
  • 32,584
  • 6
  • 98
  • 168
nispio
  • 8,175
  • 2
  • 35
  • 73

2 Answers2

2

I don't think that Emacs has any policy or process for these situations, considering how messy and arbitrary it's versioning is.

But that does not matter, because the OS vendor guarantees updates for the particular version of Emacs it includes in its repositories. If there's a security issue the OS vendor will take care of patching this Emacs version even if Emacs itself does not.

Still, you can always build your own Emacs manually. Compiling Emacs is not hard.

  • "If there's a security issue the OS vendor will take care of patching this Emacs version even if Emacs itself does not." I wondered about that myself. Does this happen in practice? – nispio Aug 11 '15 at 20:03
  • "The OS vendor guarantees" seems to assume an OS vendor that, itself, provides Emacs and thus feels somehow responsible for it. It is good to know, for users who are in that context. But it presumably doesn't apply to users who install Emacs or who pick up a free binary copy of it. – Drew Aug 11 '15 at 20:32
  • @Drew Uhm, isn't that what the question is about? The OS-provided Emacs? If it was a custom build, the whole question about OS vendor support (second sentence) would not make any sense at all… –  Aug 12 '15 at 06:54
  • Yes, that's the case for the OP; sorry. The question title and summary (in bold) are more general, though: whether Emacs 24.3 will get security updates. Both aspects of the question (OS updates & Emacs Dev updates) can be helpful. (Aside: do we know that this OS vendor, or any particular vendor, really makes such a guarantee? That might be something for the OP to check, especially if trying to make an argument for upgrading. I can't even imagine what such a guarantee could reasonably consist of: *We guarantee to fix any security issue that arises?*) – Drew Aug 12 '15 at 14:21
1

Dunno the official answer. For that you had better ask emacs-devel@gnu.org.

My guess is no. Emacs 24.3 will not be updated for ordinary, non-security reasons, at least. Of that I'm pretty sure.

But security fixes are taken very seriously. Whether they are backported, and if so how far, I don't know.

Drew
  • 75,699
  • 9
  • 109
  • 225