GNU bug report logs - #19479
Package manager vulnerable

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Severity: important; Reported by: Kelly Dean <kelly@HIDDEN>; Keywords: security; dated Thu, 1 Jan 2015 12:40:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.
Removed indication that bug 19479 blocks Request was from Eli Zaretskii <eliz@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 2 Sep 2017 12:24:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Sep 02 08:24:49 2017
Received: from localhost ([127.0.0.1]:41677 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1do7Tl-00045t-4X
	for submit <at> debbugs.gnu.org; Sat, 02 Sep 2017 08:24:49 -0400
Received: from eggs.gnu.org ([208.118.235.92]:52519)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1do7Tj-00045i-PF
 for 19479 <at> debbugs.gnu.org; Sat, 02 Sep 2017 08:24:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <eliz@HIDDEN>) id 1do7Ta-0007I5-3F
 for 19479 <at> debbugs.gnu.org; Sat, 02 Sep 2017 08:24:42 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:47649)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1do7TQ-0007E3-Bc; Sat, 02 Sep 2017 08:24:28 -0400
Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:2017
 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1do7TP-00084l-Bx; Sat, 02 Sep 2017 08:24:27 -0400
Date: Sat, 02 Sep 2017 15:24:17 +0300
Message-Id: <83y3pxz3ta.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Glenn Morris <rgm@HIDDEN>
In-reply-to: <yuegpd8zq2.fsf@HIDDEN> (message from Glenn Morris on
 Wed, 25 Feb 2015 16:09:57 -0500)
Subject: Re: bug#19479: Disclaimer is now on file at FSF
References: <0ylhjngoxs.fsf@HIDDEN>
 <5j6SB8Hmg5euoiN2VLa1iolGVWZxTvwQ1LnsgFUQiDZ@local>
 <yuegpd8zq2.fsf@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: kelly@HIDDEN, 19479 <at> debbugs.gnu.org, emacs-devel@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: Eli Zaretskii <eliz@HIDDEN>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

unblock 24655 by 19479
thanks

> From: Glenn Morris <rgm@HIDDEN>
> Date: Wed, 25 Feb 2015 16:09:57 -0500
> Cc: 19479 <at> debbugs.gnu.org, emacs-devel@HIDDEN
> 
> I am not a lawyer (AFAIK, neither is anyone else on this list) and
> have no interest in discussing why these things are different.
> They just are.
> 
> I said the first time we went through this that it was my
> understanding that disclaimers worked this way. I said it again here:
> https://lists.gnu.org/archive/html/emacs-devel/2015-01/msg00198.html
> 
> I have now had this confirmed by assign@gnu.
> 
> 
> If you (the generic you) want to contribute to Emacs, there is a
> well-defined, simple procedure that hundreds of people have followed
> with no problem.
> 
> If you don't want to follow the procedure, then fine, that's your
> prerogative. Then you can't contribute.
> 
> But please don't start arguing with us about what the procedure is, or
> should be, or what you think a judge might say, or why you need to be an
> exception. We don't set the rules here at Emacs, and it just isn't a
> productive use of anyone's time.

Two and a half years later, with no one complaining about this, it
doesn't sound right for this issue to block the release of Emacs 26.1.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.
Added indication that bug 19479 blocks24655 Request was from Eli Zaretskii <eliz@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Removed indication that bug 19479 blocks Request was from Eli Zaretskii <eliz@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Added indication that bug 19479 blocks21966 Request was from Glenn Morris <rgm@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Removed indication that bug 19479 blocks Request was from Dmitry Gutov <dgutov@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 25 Feb 2015 21:10:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 25 16:10:07 2015
Received: from localhost ([127.0.0.1]:58083 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YQjDa-0004Bp-Ff
	for submit <at> debbugs.gnu.org; Wed, 25 Feb 2015 16:10:07 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:51108 ident=Debian-exim)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1YQjDU-0004BH-D2
 for 19479 <at> debbugs.gnu.org; Wed, 25 Feb 2015 16:10:04 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>)
 id 1YQjDR-00082S-VJ; Wed, 25 Feb 2015 16:09:58 -0500
From: Glenn Morris <rgm@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Disclaimer is now on file at FSF
References: <0ylhjngoxs.fsf@HIDDEN>
 <5j6SB8Hmg5euoiN2VLa1iolGVWZxTvwQ1LnsgFUQiDZ@local>
X-Spook: sniper basement explosion underground Audiotel White
X-Ran: Yj!r%Wq,{}|^\o%N@<r?W|>:sj?bZaO>H0i3Ek:{>~2Z6KKSC/3PR;By~>\}4W4Sod&ZQD
X-Hue: red
X-Attribution: GM
Date: Wed, 25 Feb 2015 16:09:57 -0500
In-Reply-To: <5j6SB8Hmg5euoiN2VLa1iolGVWZxTvwQ1LnsgFUQiDZ@local> (Kelly Dean's
 message of "Tue, 24 Feb 2015 23:02:09 +0000")
Message-ID: <yuegpd8zq2.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org, emacs-devel@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Kelly Dean wrote:

>> So, I don't want to get into this discussion,
>
> And yet you chose to dig it back up, even after everybody else was
> satisfied that it was resolved more than a month ago.

I've been largely on a break from Emacs. I always thought there was
something strange here, and I just happened to get motivated enough now
to ask assign@gnu for clarification when I saw patches were still arriving.

> The copyright clerk's exact words on January 20th were, =E2=80=9FWe've
> accepted the public domain disclaimer and added you to our records",
> not =E2=80=9Fwe've accepted part of the disclaimer, but rejected another
> part".

I specifically mentioned you by name in the question I asked assign@gnu,
and the reply I got (one day ago) was, in totality:

   Disclaimers are not valid for future contributions. Thanks for checking =
in.

Like I said, you can take it up with them if you disagree.
I'be glad to be corrected, but it all seems pretty clear to me.

I am not trying to be the bad guy and I am not out to get you.
I applied several patches from you and would have been happy to apply more.
I am just trying to ensure Emacs follows the FSF's procedures,
which seem pretty clear to me.


Vibhav Pant wrote:

> Well, what about
> http://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/request-a=
ssign.future?
> This is the form to request documents for assigning past and future
> works, which according to you isn't possible.

That's not what I said.
I said: I am told *disclaimers* cannot apply to future changes.

You will note that there are separate documents for *assigning* past
changes (request-assign.changes), and past-and-future changes
(request-assign.future). But for *disclaimers* there is only
request-disclaim.changes. There is no request-disclaim.future.
If you read

http://git.savannah.gnu.org/cgit/gnulib.git/tree/doc/Copyright/request-disc=
laim.changes

it quite clearly states that it only applies to past, finished changes.

I am not a lawyer (AFAIK, neither is anyone else on this list) and
have no interest in discussing why these things are different.
They just are.

I said the first time we went through this that it was my
understanding that disclaimers worked this way. I said it again here:
https://lists.gnu.org/archive/html/emacs-devel/2015-01/msg00198.html

I have now had this confirmed by assign@gnu.


If you (the generic you) want to contribute to Emacs, there is a
well-defined, simple procedure that hundreds of people have followed
with no problem.

If you don't want to follow the procedure, then fine, that's your
prerogative. Then you can't contribute.

But please don't start arguing with us about what the procedure is, or
should be, or what you think a judge might say, or why you need to be an
exception. We don't set the rules here at Emacs, and it just isn't a
productive use of anyone's time.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 24 Feb 2015 23:03:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 24 18:03:45 2015
Received: from localhost ([127.0.0.1]:57095 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YQOW1-0002RN-4m
	for submit <at> debbugs.gnu.org; Tue, 24 Feb 2015 18:03:45 -0500
Received: from relay5-d.mail.gandi.net ([217.70.183.197]:35995)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1YQOVr-0002R4-0l
 for 19479 <at> debbugs.gnu.org; Tue, 24 Feb 2015 18:03:44 -0500
Received: from mfilter31-d.gandi.net (mfilter31-d.gandi.net [217.70.178.162])
 by relay5-d.mail.gandi.net (Postfix) with ESMTP id 3FA7D41C073;
 Wed, 25 Feb 2015 00:03:33 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter31-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
Received: from relay5-d.mail.gandi.net ([217.70.183.197])
 by mfilter31-d.gandi.net (mfilter31-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id Q1oLYe7Z3uNN; Wed, 25 Feb 2015 00:03:31 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 9091341C054;
 Wed, 25 Feb 2015 00:03:30 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Glenn Morris <rgm@HIDDEN>
Subject: Re: bug#19479: Disclaimer is now on file at FSF
In-Reply-To: <0ylhjngoxs.fsf@HIDDEN>
References: <0ylhjngoxs.fsf@HIDDEN>
Date: Tue, 24 Feb 2015 23:02:09 +0000
Message-ID: <5j6SB8Hmg5euoiN2VLa1iolGVWZxTvwQ1LnsgFUQiDZ@local>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org, emacs-devel@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

> So, I don't want to get into this discussion,

And yet you chose to dig it back up, even after everybody else was satisf=
ied that it was resolved more than a month ago. The copyright clerk's exa=
ct words on January 20th were, =E2=80=9FWe've accepted the public domain =
disclaimer and added you to our records=E2=80=9D, not =E2=80=9Fwe've acce=
pted part of the disclaimer, but rejected another part=E2=80=9D.

The disclaimer covers future changes, and everybody's comments about that=
 part had already been CCed to the clerk, and his answer was, =E2=80=9FWe=
've accepted the public domain disclaimer=E2=80=9D.

> but I've always assumed
> that disclaimers do not/cannot apply to future changes. I asked
> assign@HIDDEN, and they confirmed "Disclaimers are not valid for futur=
e
> contributions".

Good luck finding a copyright judge anywhere in America who would agree w=
ith your absurd claim that my work since January 8th is not in the public=
 domain, despite my signed statement that it is.

Or if you admit it is PD, I'm sure you can dream up some rationalization =
of why PD code isn't allowed in Emacs, and then try to remove it all, whi=
ch is a lot more than just my code.

Either way, I'm done trying to work on Emacs. This B.S. isn't worth my ti=
me.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 24 Feb 2015 18:11:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 24 13:11:18 2015
Received: from localhost ([127.0.0.1]:56984 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YQJwz-00072D-UF
	for submit <at> debbugs.gnu.org; Tue, 24 Feb 2015 13:11:18 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:34346 ident=Debian-exim)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1YQJwt-000721-Rm
 for 19479 <at> debbugs.gnu.org; Tue, 24 Feb 2015 13:11:16 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>)
 id 1YQJwt-0004dk-9u; Tue, 24 Feb 2015 13:11:11 -0500
From: Glenn Morris <rgm@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Disclaimer is now on file at FSF
References: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
 <1s36JQvcdkW4qq4Xkzun5CT6LeDiZZWuaTNWhNiTLcd@local>
 <rt-3.4.5-910-1421783402-547.973211-5-0@HIDDEN>
 <sXpSIlT9bkMLz7zWFLWTjm38mvYqlezH8vXlii5uxqC@local>
Mail-Followup-To: emacs-devel@HIDDEN
Date: Tue, 24 Feb 2015 13:11:11 -0500
In-Reply-To: <sXpSIlT9bkMLz7zWFLWTjm38mvYqlezH8vXlii5uxqC@local> (Kelly Dean's
 message of "Tue, 20 Jan 2015 21:18:48 +0000")
Message-ID: <0ylhjngoxs.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org, Emacs developers <emacs-devel@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)


So, I don't want to get into this discussion, but I've always assumed
that disclaimers do not/cannot apply to future changes. I asked
assign@HIDDEN, and they confirmed "Disclaimers are not valid for future
contributions".

I mention this because AFAICS you are sending new patches.

Your disclaimer is dated 2015-1-8. AFAICS we cannot apply anything after
that. Someone should also check the several patches from you that have
been applied recently to make sure they originated before this date.

Sorry, I don't have time/inclination to discuss special cases.
Maybe you want to take it up with rms and/or assign@gnu.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 24 Feb 2015 08:48:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 24 03:48:51 2015
Received: from localhost ([127.0.0.1]:56194 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YQBAg-000075-Uj
	for submit <at> debbugs.gnu.org; Tue, 24 Feb 2015 03:48:51 -0500
Received: from relay4-d.mail.gandi.net ([217.70.183.196]:49720)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1YQBAe-00006v-SH
 for 19479 <at> debbugs.gnu.org; Tue, 24 Feb 2015 03:48:49 -0500
Received: from mfilter16-d.gandi.net (mfilter16-d.gandi.net [217.70.178.144])
 by relay4-d.mail.gandi.net (Postfix) with ESMTP id 03DAB172081;
 Tue, 24 Feb 2015 09:48:47 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter16-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
Received: from relay4-d.mail.gandi.net ([217.70.183.196])
 by mfilter16-d.gandi.net (mfilter16-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id iffBTboRSMlU; Tue, 24 Feb 2015 09:48:45 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 962B4172077;
 Tue, 24 Feb 2015 09:48:43 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Ivan Shmakov <ivan@HIDDEN>
Subject: Re: Emacs package manager vulnerable to replay attacks
In-Reply-To: <87iogt8ipi.fsf@HIDDEN>
References: <87iogt8ipi.fsf@HIDDEN>
 <F8kXGdneKQWh6B82cOwdrCdBAdO1h3o9WXOqLmHuB8T@local>
 <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
Date: Tue, 24 Feb 2015 08:47:23 +0000
Message-ID: <bNYHpEiZCkauoMSMdrNGBBL3XObzeRBVpRxjzurW4Ql@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org, emacs-devel@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Note, I'm not implementing the metadata-replay fix, because it's unlikely my patch would be accepted, so somebody else will need to do it. See my January 11th message to bug #19479 for a description of how to do it.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.
Added indication that bug 19479 blocks19759 Request was from Glenn Morris <rgm@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 20 Jan 2015 21:24:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 20 16:24:58 2015
Received: from localhost ([127.0.0.1]:51091 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YDgID-0007lE-N9
	for submit <at> debbugs.gnu.org; Tue, 20 Jan 2015 16:24:57 -0500
Received: from relay5-d.mail.gandi.net ([217.70.183.197]:42429)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1YDgIB-0007l4-DF
 for 19479 <at> debbugs.gnu.org; Tue, 20 Jan 2015 16:24:56 -0500
Received: from mfilter22-d.gandi.net (mfilter22-d.gandi.net [217.70.178.150])
 by relay5-d.mail.gandi.net (Postfix) with ESMTP id 71D2241C06D
 for <19479 <at> debbugs.gnu.org>; Tue, 20 Jan 2015 22:24:53 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter22-d.gandi.net
Received: from relay5-d.mail.gandi.net ([217.70.183.197])
 by mfilter22-d.gandi.net (mfilter22-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024) with ESMTP id aMcFWjb1WabK for <19479 <at> debbugs.gnu.org>;
 Tue, 20 Jan 2015 22:24:52 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 925BB41C067
 for <19479 <at> debbugs.gnu.org>; Tue, 20 Jan 2015 22:24:50 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: 19479 <at> debbugs.gnu.org
Subject: Disclaimer is now on file at FSF
References: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
 <1s36JQvcdkW4qq4Xkzun5CT6LeDiZZWuaTNWhNiTLcd@local>
 <rt-3.4.5-910-1421783402-547.973211-5-0@HIDDEN>
Date: Tue, 20 Jan 2015 21:18:48 +0000
Message-ID: <sXpSIlT9bkMLz7zWFLWTjm38mvYqlezH8vXlii5uxqC@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

The FSF has accepted my disclaimer and added me to their records. You can install my patches if you find them satisfactory on technical grounds.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 12 Jan 2015 15:38:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 12 10:38:36 2015
Received: from localhost ([127.0.0.1]:54623 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YAh4e-0007h0-8w
	for submit <at> debbugs.gnu.org; Mon, 12 Jan 2015 10:38:36 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:42475 ident=Debian-exim)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rms@HIDDEN>) id 1YAh4Y-0007gp-PI
 for 19479 <at> debbugs.gnu.org; Mon, 12 Jan 2015 10:38:35 -0500
Received: from rms by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rms@HIDDEN>)
 id 1YAh4X-00035B-9m; Mon, 12 Jan 2015 10:38:29 -0500
Date: Mon, 12 Jan 2015 10:38:29 -0500
Message-Id: <E1YAh4X-00035B-9m@HIDDEN>
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
In-reply-to: <jwvtwzyyu4g.fsf-monnier+emacsbugs@HIDDEN> (message from Stefan
 Monnier on Sat, 10 Jan 2015 20:39:36 -0500)
Subject: Re: bug#19479: Copyright issue
References: <jwvwq4v5xgl.fsf-monnier+emacsbugs@HIDDEN>
 <t3noM85HlB7UYkAMr2zPjZF2ojMPUQTQ8Sp5awEbc96@local>
 <jwvtwzyyu4g.fsf-monnier+emacsbugs@HIDDEN>
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: kelly@HIDDEN, 19479 <at> debbugs.gnu.org, assign@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: rms@HIDDEN
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Instead of having a discussion here, please let me get this worked out
between Kelly and our clerk, with the help of lawyers when needed.

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call.





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 11 Jan 2015 06:33:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 11 01:33:20 2015
Received: from localhost ([127.0.0.1]:42347 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YAC5Q-0005sk-6r
	for submit <at> debbugs.gnu.org; Sun, 11 Jan 2015 01:33:20 -0500
Received: from mout.gmx.net ([212.227.15.15]:55188)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <werner.lemberg@HIDDEN>) id 1YAC5O-0005sa-3h
 for 19479 <at> debbugs.gnu.org; Sun, 11 Jan 2015 01:33:18 -0500
Received: from gnu.org ([178.165.129.233]) by mail.gmx.com (mrgmx001) with
 ESMTPSA (Nemesis) id 0M6BKc-1Xq1qG2h58-00y8ep; Sun, 11 Jan 2015 07:33:11
 +0100
Date: Sun, 11 Jan 2015 07:33:00 +0100 (CET)
Message-Id: <20150111.073300.172574682.wl@HIDDEN>
To: kelly@HIDDEN
Subject: Re: bug#19479: Copyright issue
From: Werner LEMBERG <wl@HIDDEN>
In-Reply-To: <uqK9s2EJ0lHC70uZbUunNN6qv171s49r3sesM5HhMaD@local>
References: <jwvtwzyyu4g.fsf-monnier+emacsbugs@HIDDEN>
 <uqK9s2EJ0lHC70uZbUunNN6qv171s49r3sesM5HhMaD@local>
X-Mailer: Mew version 6.5 on Emacs 25.0.50.1 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:8YhvHJNos+3i1RCJQXUjRk4g8Z76mx7ecufYgRHcPIb6Ixo5CET
 5YbGS/sFtiaJLebAdjIkFffBykM2yxCgPCcPWBMKFe5Sng9FMWtRcqOeauOUFW0rhwSfvMX
 F3FUwVTP2Bvo+h0LpOU7C6t2P6K7JsrZhZlfBl12PkAFAgEMjtwH4U6JqoHV/2TRHBLmSAj
 4PTbTaIrfs1xwCNXcgusQ==
X-UI-Out-Filterresults: notjunk:1;
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 19479
Cc: assign@HIDDEN, monnier@HIDDEN, 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.0 (/)


>> No, the assignment document is just for the Emacs code you wrote
>> and whose copyright you own.  It simply doesn't apply to the code
>> whose copyright you don't own (which normally only happens when the
>> copyright is owned by your employer).
> 
> I don't have a copy of it handy, but if that's the way it's worded,
> then you're right, it wouldn't be illegal for me to sign it. It
> would only be immoral. It would be legally vacuous, and deceptive,
> leading to doubt about my intent.

Perhaps slightly off-topic, but quite relevant IMHO in a global
perspective:

It is *not* possible to create not-copyrighted code in some
jurisdictions like Germany.  Whatever you write, it is by default
copyrighted by you (regardless whether there is a `public domain' line
or not), and you have to explicitly disclaim or reassign the
copyright.

For this reason, it is *much* better to use a license like CC0 instead
of a public domain notice, since this covers the `public domain' idea
in virtually all countries.  Actually, this is what the FSF recommends
(https://www.gnu.org/licenses/license-list.en.html#CC0), and I guess
this works for emacs also, since it works already for GNU (according
to https://gcc.gnu.org/contribute.html#legal).


    Werner




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 11 Jan 2015 03:21:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 10 22:21:26 2015
Received: from localhost ([127.0.0.1]:42321 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YA95i-00076L-5v
	for submit <at> debbugs.gnu.org; Sat, 10 Jan 2015 22:21:26 -0500
Received: from relay4-d.mail.gandi.net ([217.70.183.196]:56938)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1YA95f-00076A-Ap
 for 19479 <at> debbugs.gnu.org; Sat, 10 Jan 2015 22:21:23 -0500
Received: from mfilter5-d.gandi.net (mfilter5-d.gandi.net [217.70.178.132])
 by relay4-d.mail.gandi.net (Postfix) with ESMTP id 24AAD17207C;
 Sun, 11 Jan 2015 04:21:22 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter5-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
Received: from relay4-d.mail.gandi.net ([217.70.183.196])
 by mfilter5-d.gandi.net (mfilter5-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id PqJ+F+0VVg+0; Sun, 11 Jan 2015 04:21:20 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 68BC2172070;
 Sun, 11 Jan 2015 04:21:19 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#19479: Copyright issue
In-Reply-To: <jwvtwzyyu4g.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvtwzyyu4g.fsf-monnier+emacsbugs@HIDDEN>
Date: Sun, 11 Jan 2015 03:20:31 +0000
Message-ID: <uqK9s2EJ0lHC70uZbUunNN6qv171s49r3sesM5HhMaD@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org, assign@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Stefan Monnier wrote:
>> If I sign an assignment document, then I would be committing perjury.
>
> No, the assignment document is just for the Emacs code you wrote and
> whose copyright you own.  It simply doesn't apply to the code whose
> copyright you don't own (which normally only happens when the copyright
> is owned by your employer).

I don't have a copy of it handy, but if that's the way it's worded, then you're right, it wouldn't be illegal for me to sign it. It would only be immoral. It would be legally vacuous, and deceptive, leading to doubt about my intent.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 11 Jan 2015 02:57:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 10 21:57:19 2015
Received: from localhost ([127.0.0.1]:42309 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YA8iM-0006DQ-L1
	for submit <at> debbugs.gnu.org; Sat, 10 Jan 2015 21:57:19 -0500
Received: from relay4-d.mail.gandi.net ([217.70.183.196]:50342)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1YA8iJ-0006DB-FL
 for 19479 <at> debbugs.gnu.org; Sat, 10 Jan 2015 21:57:16 -0500
Received: from mfilter15-d.gandi.net (mfilter15-d.gandi.net [217.70.178.143])
 by relay4-d.mail.gandi.net (Postfix) with ESMTP id 884B017207C
 for <19479 <at> debbugs.gnu.org>; Sun, 11 Jan 2015 03:57:14 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter15-d.gandi.net
Received: from relay4-d.mail.gandi.net ([217.70.183.196])
 by mfilter15-d.gandi.net (mfilter15-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024) with ESMTP id HZucTgHAMMs1 for <19479 <at> debbugs.gnu.org>;
 Sun, 11 Jan 2015 03:57:13 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 9BCA8172077
 for <19479 <at> debbugs.gnu.org>; Sun, 11 Jan 2015 03:57:11 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: 19479 <at> debbugs.gnu.org
Subject: (on-topic) Re: bug#19479: Package manager vulnerable
References: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
Date: Sun, 11 Jan 2015 02:56:22 +0000
Message-ID: <F8kXGdneKQWh6B82cOwdrCdBAdO1h3o9WXOqLmHuB8T@local>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Back on topic...

I found a good way to add timestamps to prevent metadata replay (the othe=
r vulnerability), and to further harden the package manager's security, b=
ut of course I'll wait until we hear from the clerk before trying to impl=
ement it.

The reason I said there's a compatibility problem for timestamps is that =
archive-contents is a list consisting just of a version number followed b=
y a bunch of package records; the list's format isn't extensible (though =
the package record format is extensible). There's no way to insert a time=
stamp without changing the list's format (and thus, the version number), =
but if you do that, then old clients can't understand archive-contents an=
ymore.

Even worse, old clients become stuck because they store the new-format (i=
ncompatible) file before checking the version number, then barf on it and=
 refuse to accept even an old-format (compatible) file to replace it unti=
l you manually delete the stored one.

I see four possible solutions:
0. Have a flag day, on which all the elpas switch to the new format, and =
on or before which everybody must upgrade to Emacs 25 or his package mana=
ger will stop working.
1. Have the server check the User-Agent header, and send the old-format f=
ile if it's =E2=8C=9CURL/Emacs=E2=8C=9D, and the new-format if it's =E2=8C=
=9CURL/Emacs-25=E2=8C=9D or later.
2. Use a different URL for the new-format file.
3. Keep the old format, and put the timestamp in a different file.

#0 obviously isn't an option.
I advise against #1, for reasons which everybody here already knows.
#2 would work, but is inelegant, since you would still have to retain the=
 old-format file for the sake of old clients, and it's inefficient, since=
 new clients would have to periodically re-download the entire file (fair=
ly big, in Melpa's case) even if nothing but the timestamp changed (and c=
lients have to demand fresh timestamps in order to prevent metadata repla=
y attacks).

#3 looks like the best solution. The timestamp file includes the timestam=
p and the hash of archive-contents. Sign the timestamp file for the sake =
of new clients.

Old clients would ignore the timestamp file. If archive-contents is uncha=
nged, then new clients would only have to periodically re-download the ti=
mestamp file and signature--the minimal amount of data necessary. They'd =
see that the current hash of archive-contents matches the version they al=
ready have stored. IOW, to whoever made archive-contents inextensible: th=
ank you! You've forced the right solution to timestamping. ;-)

Combined with my previous patch, this leaves the timestamp-file's signatu=
re as the only one that's necessary to secure the entire archive (package=
s and metadata, including timestamp) and prevent both package and metadat=
a replay attacks. IMHO, this simplicity makes it practical to insist that=
 all elpas provide this signature, so Emacs 25 could enforce it by defaul=
t.

Optionally continue signing archive-contents for the sake of 24.4 clients=
, but since 25 won't need that signature, nothing before 24.4 is capable =
of checking it, 24.4 doesn't enforce it by default, Melpa doesn't even pr=
ovide it IIUC (GNU Elpa does), and 24.4 is vulnerable to package and meta=
data replay anyway, you might as well not. The kind of people who have ch=
anged package-check-signature to t will upgrade to 25 anyway.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 11 Jan 2015 01:39:41 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 10 20:39:41 2015
Received: from localhost ([127.0.0.1]:42247 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YA7VF-0003Tr-1f
	for submit <at> debbugs.gnu.org; Sat, 10 Jan 2015 20:39:41 -0500
Received: from pruche.dit.umontreal.ca ([132.204.246.22]:53006)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1YA7VC-0003Tg-01
 for 19479 <at> debbugs.gnu.org; Sat, 10 Jan 2015 20:39:38 -0500
Received: from pastel.home (lechon.iro.umontreal.ca [132.204.27.242])
 by pruche.dit.umontreal.ca (8.14.1/8.14.1) with ESMTP id t0B1daok028893;
 Sat, 10 Jan 2015 20:39:36 -0500
Received: by pastel.home (Postfix, from userid 20848)
 id 4DCF9C53; Sat, 10 Jan 2015 20:39:36 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Copyright issue
Message-ID: <jwvtwzyyu4g.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvwq4v5xgl.fsf-monnier+emacsbugs@HIDDEN>
 <t3noM85HlB7UYkAMr2zPjZF2ojMPUQTQ8Sp5awEbc96@local>
Date: Sat, 10 Jan 2015 20:39:36 -0500
In-Reply-To: <t3noM85HlB7UYkAMr2zPjZF2ojMPUQTQ8Sp5awEbc96@local> (Kelly Dean's
 message of "Sat, 10 Jan 2015 01:18:00 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level: 
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0.2
X-NAI-Spam-Rules: 2 Rules triggered
	GEN_SPAM_FEATRE=0.2, RV5182=0
X-NAI-Spam-Version: 2.3.0.9393 : core <5182> : inlines <1750> : streams
 <1371376> : uri <1842018>
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org, assign@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

> If I sign an assignment document, then I would be committing perjury.

No, the assignment document is just for the Emacs code you wrote and
whose copyright you own.  It simply doesn't apply to the code whose
copyright you don't own (which normally only happens when the copyright
is owned by your employer).


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 10 Jan 2015 19:29:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 10 14:29:40 2015
Received: from localhost ([127.0.0.1]:42133 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1YA1jA-0008LH-Hg
	for submit <at> debbugs.gnu.org; Sat, 10 Jan 2015 14:29:40 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:59383)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rms@HIDDEN>) id 1YA1j8-0008L8-Rk
 for 19479 <at> debbugs.gnu.org; Sat, 10 Jan 2015 14:29:39 -0500
Received: from rms by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rms@HIDDEN>)
 id 1YA1j7-00076Y-Cf; Sat, 10 Jan 2015 14:29:37 -0500
Date: Sat, 10 Jan 2015 14:29:37 -0500
Message-Id: <E1YA1j7-00076Y-Cf@HIDDEN>
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
In-reply-to: <28X8CWcxytFrnmAvzW6uuTJIZbigFBiglw7zAmVVIR2@local> (message from
 Kelly Dean on Fri, 09 Jan 2015 21:49:54 +0000)
Subject: Re: bug#19479: Copyright issue
References: <MtcEBpHHHDODjlLExBspSbSHsi44e5lD7V1k9dlWr1y@local>
 <28X8CWcxytFrnmAvzW6uuTJIZbigFBiglw7zAmVVIR2@local>
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: dak@HIDDEN, assign@HIDDEN, 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: rms@HIDDEN
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

In general, we do accept code whose copyright has been disclaimed by
the author.  That is not our preference, but it is ok.

Would you please discuss this privately with me and the copyright clerk?

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call.





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 10 Jan 2015 01:18:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 20:18:54 2015
Received: from localhost ([127.0.0.1]:41291 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9khZ-0003LP-Pu
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 20:18:53 -0500
Received: from relay4-d.mail.gandi.net ([217.70.183.196]:55421)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y9khX-0003LG-9d
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 20:18:52 -0500
Received: from mfilter31-d.gandi.net (mfilter31-d.gandi.net [217.70.178.162])
 by relay4-d.mail.gandi.net (Postfix) with ESMTP id 74498172071;
 Sat, 10 Jan 2015 02:18:49 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter31-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
Received: from relay4-d.mail.gandi.net ([217.70.183.196])
 by mfilter31-d.gandi.net (mfilter31-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id XLxwGi783N57; Sat, 10 Jan 2015 02:18:48 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id B2004172080;
 Sat, 10 Jan 2015 02:18:46 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#19479: Copyright issue
In-Reply-To: <jwvwq4v5xgl.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvwq4v5xgl.fsf-monnier+emacsbugs@HIDDEN>
Date: Sat, 10 Jan 2015 01:18:00 +0000
Message-ID: <t3noM85HlB7UYkAMr2zPjZF2ojMPUQTQ8Sp5awEbc96@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org, assign@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Stefan Monnier wrote:
> All this arguing just to try and avoid signing the standard document
> baffles me

If I sign an assignment document, then I would be committing perjury. Possibly in the legal sense, and at least in the moral sense.

And there isn't just one standard document. There are at least five; three for disclaimers, and two for assignments. I asked the clerk to choose the correct disclaimer for me. If he'd done it, none of this arguing would be necessary.

All of which I already pointed out, so I'm baffled by your bafflement.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 23:47:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 18:47:14 2015
Received: from localhost ([127.0.0.1]:41258 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9jGr-0008Fc-L2
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 18:47:14 -0500
Received: from ironport2-out.teksavvy.com ([206.248.154.181]:40011)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1Y9jGo-0008FT-NE
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 18:47:11 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqMPAOwQflS4rwoL/2dsb2JhbABbgwdSWYI1UIUKvwaGFwQCAoEkFwEBAQEBAXyEAgEBAQECASMzIwULCxgCAhgOAgIUGA0kE4g3CQ2/eZZTAQEBBwEBAQEegSuNBYFSOjMHgnWBUwWKHWSKHoQog3uRbYF4hBkhMAEBAYJEAQEB
X-IPAS-Result: AqMPAOwQflS4rwoL/2dsb2JhbABbgwdSWYI1UIUKvwaGFwQCAoEkFwEBAQEBAXyEAgEBAQECASMzIwULCxgCAhgOAgIUGA0kE4g3CQ2/eZZTAQEBBwEBAQEegSuNBYFSOjMHgnWBUwWKHWSKHoQog3uRbYF4hBkhMAEBAYJEAQEB
X-IronPort-AV: E=Sophos;i="5.07,502,1413259200"; d="scan'208";a="107250331"
Received: from 184-175-10-11.dsl.teksavvy.com (HELO ceviche.home)
 ([184.175.10.11])
 by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA;
 09 Jan 2015 18:47:09 -0500
Received: by ceviche.home (Postfix, from userid 20848)
 id 96ED466100; Fri,  9 Jan 2015 18:47:09 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Copyright issue
Message-ID: <jwvwq4v5xgl.fsf-monnier+emacsbugs@HIDDEN>
References: <MtcEBpHHHDODjlLExBspSbSHsi44e5lD7V1k9dlWr1y@local>
 <28X8CWcxytFrnmAvzW6uuTJIZbigFBiglw7zAmVVIR2@local>
Date: Fri, 09 Jan 2015 18:47:09 -0500
In-Reply-To: <28X8CWcxytFrnmAvzW6uuTJIZbigFBiglw7zAmVVIR2@local> (Kelly Dean's
 message of "Fri, 09 Jan 2015 21:49:54 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 19479
Cc: David Kastrup <dak@HIDDEN>, assign@HIDDEN, 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

All this arguing just to try and avoid signing the standard document
baffles me,


        Stefan


>>>>> "Kelly" =3D=3D Kelly Dean <kelly@HIDDEN> writes:

> I wrote:
>> Anyway, my patch that Glenn objected to was created in the past, not the
>> future, so at least that one is ok.

> Actually my future patches are ok too.

> http://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/disclaim.=
program says:
> =E2=8C=9CDigital Stimulation Corporation hereby disclaims all copyright i=
nterest
>   in the program "seduce" (a program to direct assemblers to make passes =
at
>   compilers under GNU Emacs) written by Hugh Heffner, including both the
>   present version of the program and his/her future changes and
>   enhancements to it.=E2=8C=9D

> Notice the disclaimer applies to future work. Which means my disclaimer
> applying to future work is effective.

> If the FSF thinks it has to register those PD works (which would be absur=
d,
> but absurdity has never stopped lawyers), that's a separate issue from the
> one-time disclaimer (covering past and future work) that the
> disclaim.program file shows that the FSF does accept. It isn't any extra
> burden for the FSF compared to assignment, since obviously the FSF can on=
ly
> register intellectual property ownership of assigned works after those wo=
rks
> are created too, so the FSF still has to constantly (or annually or
> whatever) send new paperwork to the copyright office even for contributors
> who have signed an assignment form. IOW, Stefan keeps the lawyers a lot
> busier than I do. ;-)

> But again, even if for some weird reason the lawyers think my disclaimer =
for
> future work isn't effective, it certainly is effective for my previous wo=
rk,
> including my patch for bug #19479. (And if it isn't, then they're welcome=
 to
> point out what's wrong with it, and send me a disclaimer form that _is_
> effective, which I asked for already in 2012). If necessary, I can re-date
> and re-sign it in the future to cover new work, which is fine since my
> contributions to Emacs are infrequent.






Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 21:50:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 16:50:48 2015
Received: from localhost ([127.0.0.1]:41197 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9hSC-0005KG-G5
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 16:50:48 -0500
Received: from relay3-d.mail.gandi.net ([217.70.183.195]:49377)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y9hSA-0005K7-CV
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 16:50:47 -0500
Received: from mfilter3-d.gandi.net (mfilter3-d.gandi.net [217.70.178.133])
 by relay3-d.mail.gandi.net (Postfix) with ESMTP id AF5D7A80B9;
 Fri,  9 Jan 2015 22:50:44 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter3-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
Received: from relay3-d.mail.gandi.net ([217.70.183.195])
 by mfilter3-d.gandi.net (mfilter3-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id VCK-G220seXJ; Fri,  9 Jan 2015 22:50:43 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id D6F18A80C6;
 Fri,  9 Jan 2015 22:50:41 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: David Kastrup <dak@HIDDEN>
Subject: Re: bug#19479: Copyright issue
In-Reply-To: <MtcEBpHHHDODjlLExBspSbSHsi44e5lD7V1k9dlWr1y@local>
References: <MtcEBpHHHDODjlLExBspSbSHsi44e5lD7V1k9dlWr1y@local>
Date: Fri, 09 Jan 2015 21:49:54 +0000
Message-ID: <28X8CWcxytFrnmAvzW6uuTJIZbigFBiglw7zAmVVIR2@local>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: assign@HIDDEN, 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

I wrote:
> Anyway, my patch that Glenn objected to was created in the past, not th=
e future, so at least that one is ok.

Actually my future patches are ok too.

http://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/disclaim.=
program says:
=E2=8C=9CDigital Stimulation Corporation hereby disclaims all copyright i=
nterest
  in the program "seduce" (a program to direct assemblers to make passes =
at
  compilers under GNU Emacs) written by Hugh Heffner, including both the
  present version of the program and his/her future changes and
  enhancements to it.=E2=8C=9D

Notice the disclaimer applies to future work. Which means my disclaimer a=
pplying to future work is effective.

If the FSF thinks it has to register those PD works (which would be absur=
d, but absurdity has never stopped lawyers), that's a separate issue from=
 the one-time disclaimer (covering past and future work) that the disclai=
m.program file shows that the FSF does accept. It isn't any extra burden =
for the FSF compared to assignment, since obviously the FSF can only regi=
ster intellectual property ownership of assigned works after those works =
are created too, so the FSF still has to constantly (or annually or whate=
ver) send new paperwork to the copyright office even for contributors who=
 have signed an assignment form. IOW, Stefan keeps the lawyers a lot busi=
er than I do. ;-)

But again, even if for some weird reason the lawyers think my disclaimer =
for future work isn't effective, it certainly is effective for my previou=
s work, including my patch for bug #19479. (And if it isn't, then they're=
 welcome to point out what's wrong with it, and send me a disclaimer form=
 that _is_ effective, which I asked for already in 2012). If necessary, I=
 can re-date and re-sign it in the future to cover new work, which is fin=
e since my contributions to Emacs are infrequent.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 21:01:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 16:01:16 2015
Received: from localhost ([127.0.0.1]:41161 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9ggG-00045r-C6
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 16:01:16 -0500
Received: from relay3-d.mail.gandi.net ([217.70.183.195]:40051)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y9ggD-00045i-RR
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 16:01:14 -0500
Received: from mfilter9-d.gandi.net (mfilter9-d.gandi.net [217.70.178.138])
 by relay3-d.mail.gandi.net (Postfix) with ESMTP id 2906EA80C6;
 Fri,  9 Jan 2015 22:01:12 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter9-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
Received: from relay3-d.mail.gandi.net ([217.70.183.195])
 by mfilter9-d.gandi.net (mfilter9-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id jzcazt3yHunn; Fri,  9 Jan 2015 22:01:10 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id DDE1DA80C2;
 Fri,  9 Jan 2015 22:01:08 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: David Kastrup <dak@HIDDEN>
Subject: Re: bug#19479: Copyright issue
In-Reply-To: <87zj9sm0q8.fsf@HIDDEN>
References: <87zj9sm0q8.fsf@HIDDEN>
Date: Fri, 09 Jan 2015 21:00:23 +0000
Message-ID: <MtcEBpHHHDODjlLExBspSbSHsi44e5lD7V1k9dlWr1y@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: assign@HIDDEN, 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

David Kastrup wrote:
> We need to bother with more than the U.S.A.,
> however

Does this mean that all PD code, including feedmail.el, needs to be deleted from Emacs? The authors of that code don't satisfy the not-USA countries' supposed requirements of having been dead for 75 years or so.

> one can only register specific works which means it is not
> possible to register them before they are even created.

Ouch. Unfortunately, I've been busy and have had no time for proper preparation, so I'll parry your blow next week. ;-)

Anyway, my patch that Glenn objected to was created in the past, not the future, so at least that one is ok.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 20:32:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 15:32:10 2015
Received: from localhost ([127.0.0.1]:41153 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9gE6-0003O2-9S
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 15:32:10 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:58044)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1Y9gE5-0003Nv-KD
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 15:32:09 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>)
 id 1Y9gE2-0004C5-PC; Fri, 09 Jan 2015 15:32:07 -0500
From: Glenn Morris <rgm@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Copyright issue
References: <jwvmw5s0yu5.fsf-monnier+emacsbugs@HIDDEN>
 <EitH3yok1Itmynw5Ex1Vi3AuvkREurR1ccm1J5MQD4E@local>
 <0etwzzu2gd.fsf@HIDDEN>
X-Spook: assassinate enemy of the state SAFE White House sniper
X-Ran: r70-!0YsA&n7;>'_y)gDQQQ.my&+@B/?x3\I,;AO[m[#ABFW)"AsE+Wu&s\\:L_"nNN]RZ
X-Hue: yellow
X-Attribution: GM
Date: Fri, 09 Jan 2015 15:32:06 -0500
In-Reply-To: <0etwzzu2gd.fsf@HIDDEN> (Glenn Morris's message of
 "Fri, 09 Jan 2015 15:24:50 -0500")
Message-ID: <1abnm7zoe1.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org, assign@HIDDEN, emacs-devel@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Glenn Morris wrote:

> I must say, that it was not my impression that disclaimers were not
> accaptable for Emacs. Only that the FSF does not offer a "past and
> future" option for disclaimers like it does for assignments, so a new
> disclaimer would have to be completed for every new change. I thought
> this was not worth bothering with, so I advised you not to send more patches.

PS but yes, for a non-trivial security issue like 19479 it did seem
worth it to me, so I was on the verge of saying, would you be willing to
complete a disclaimer for this change. But then Stefan said disclaimers
were not viable, so I didn't bother to say it.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 20:24:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 15:24:55 2015
Received: from localhost ([127.0.0.1]:41149 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9g75-0003By-3T
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 15:24:55 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:57844)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1Y9g72-0003Bq-KV
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 15:24:53 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>)
 id 1Y9g71-0001Ql-8L; Fri, 09 Jan 2015 15:24:51 -0500
From: Glenn Morris <rgm@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Copyright issue
References: <jwvmw5s0yu5.fsf-monnier+emacsbugs@HIDDEN>
 <EitH3yok1Itmynw5Ex1Vi3AuvkREurR1ccm1J5MQD4E@local>
X-Spook: SAFE advisors interception spies Ft. Bragg AIMSX TELINT
X-Ran: ^)zT,L|0kv7t:`]$UsuBE!3b&?hP|A`vOh6Gx|X,:z^'\7kTz`GkPMJf$g/>6*c=yn'cE_
X-Hue: cyan
X-Attribution: GM
Date: Fri, 09 Jan 2015 15:24:50 -0500
In-Reply-To: <EitH3yok1Itmynw5Ex1Vi3AuvkREurR1ccm1J5MQD4E@local> (Kelly Dean's
 message of "Fri, 09 Jan 2015 19:57:35 +0000")
Message-ID: <0etwzzu2gd.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: assign@HIDDEN, 19479 <at> debbugs.gnu.org,
 Stefan Monnier <monnier@HIDDEN>, emacs-devel@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)


I must say, that it was not my impression that disclaimers were not
accaptable for Emacs. Only that the FSF does not offer a "past and
future" option for disclaimers like it does for assignments, so a new
disclaimer would have to be completed for every new change. I thought
this was not worth bothering with, so I advised you not to send more patches.

But I certainly don't know, I just go with whatever assign@gnu says.

I don't see much point discussing this on emacs-devel. None of us are
lawyers so our opinions are pretty irrelevant. We need to wait and see
what assign@gnu says.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 20:06:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 15:06:39 2015
Received: from localhost ([127.0.0.1]:41135 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9fpP-0002kS-7h
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 15:06:39 -0500
Received: from relay5-d.mail.gandi.net ([217.70.183.197]:51735)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y9fpN-0002kI-OI
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 15:06:38 -0500
Received: from mfilter9-d.gandi.net (mfilter9-d.gandi.net [217.70.178.138])
 by relay5-d.mail.gandi.net (Postfix) with ESMTP id 054AC41C079;
 Fri,  9 Jan 2015 21:06:36 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter9-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Header field occurs more than once: "Cc"
 occurs 3 times
Received: from relay5-d.mail.gandi.net ([217.70.183.197])
 by mfilter9-d.gandi.net (mfilter9-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id hXygcAqZ34Wu; Fri,  9 Jan 2015 21:06:34 +0100 (CET)
X-Originating-IP: 66.220.3.179
Received: from localhost (gm179.geneticmail.com [66.220.3.179])
 (Authenticated sender: kelly@HIDDEN)
 by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 10BB941C073;
 Fri,  9 Jan 2015 21:06:32 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: Copyright issue
In-Reply-To: <jwvmw5s0yu5.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvmw5s0yu5.fsf-monnier+emacsbugs@HIDDEN>
Date: Fri, 09 Jan 2015 19:57:35 +0000
Message-ID: <EitH3yok1Itmynw5Ex1Vi3AuvkREurR1ccm1J5MQD4E@local>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: assign@HIDDEN, 19479 <at> debbugs.gnu.org, emacs-devel@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Stefan Monnier wrote:
>> 1. My code is PD. (In case the FSF disputes this fact, I'm attaching
>>    a signed document to establish it.)
>
> It can't be PD.  You're simply confused about it.  It will only be PD 7=
5
> years after your death (or something like that).  Until then, all you
> can do is sign paperworks, and currently for Emacs contributions we
> require this paperwork to be a copyright assignment rather than
> a disclaimer.

GNU's own website says it can be PD. The documents at the three links I s=
ent you start with:
=E2=8C=9CI'd like to ask you to sign a disclaimer for the manual, thus pu=
tting it in the public domain.=E2=8C=9D
=E2=8C=9CI'd like to ask you to sign a disclaimer for the program, thus p=
utting it in the public domain.=E2=8C=9D
=E2=8C=9CI'd like to ask you to sign a disclaimer for your changes, thus =
putting them in the public domain.=E2=8C=9D

Notice the =E2=8C=9Cthus putting them in the public domain=E2=8C=9D.

Also, do you claim that SQLite is not PD? The author, Richard Hipp, says =
it's PD, and the many millions of users of SQLite, including many major c=
ompanies with lots of copyright lawyers, accept the legal fact that it's =
PD. And Richard Hipp is not dead.

Also, do you claim that feedmail.el is not PD? The first lines of it are:
;;; feedmail.el --- assist other email packages to massage outgoing messa=
ges
;;; This file is in the public domain.

;; This file is part of GNU Emacs.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 15:29:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 10:29:28 2015
Received: from localhost ([127.0.0.1]:41024 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9bV9-0004Hb-Vz
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 10:29:28 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:49598)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <dak@HIDDEN>) id 1Y9bV7-0004HT-LU
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 10:29:26 -0500
Received: from localhost ([127.0.0.1]:56904 helo=lola)
 by fencepost.gnu.org with esmtp (Exim 4.71)
 (envelope-from <dak@HIDDEN>)
 id 1Y9bV1-00018E-Rd; Fri, 09 Jan 2015 10:29:20 -0500
Received: by lola (Postfix, from userid 1000)
 id 417A5E0BE1; Fri,  9 Jan 2015 16:29:19 +0100 (CET)
From: David Kastrup <dak@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#19479: Copyright issue
References: <jwv4ms03cj3.fsf-monnier+emacsbugs@HIDDEN>
 <quFzgVhBDz7zhUp0lS56OK32kQQjWsi4jSGZeullV6K@local>
 <iKceXlDJbawOYczzAAZidbwV0Sq68CGaBNzyymlTMR2@local>
 <1s36JQvcdkW4qq4Xkzun5CT6LeDiZZWuaTNWhNiTLcd@local>
 <jwvmw5s0yu5.fsf-monnier+emacsbugs@HIDDEN>
Date: Fri, 09 Jan 2015 16:29:19 +0100
In-Reply-To: <jwvmw5s0yu5.fsf-monnier+emacsbugs@HIDDEN> (Stefan Monnier's
 message of "Fri, 09 Jan 2015 10:17:52 -0500")
Message-ID: <87zj9sm0q8.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: Kelly Dean <kelly@HIDDEN>, emacs-devel@HIDDEN, assign@HIDDEN,
 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Stefan Monnier <monnier@HIDDEN> writes:

>> 1. My code is PD. (In case the FSF disputes this fact, I'm attaching
>>    a signed document to establish it.)
>
> It can't be PD.  You're simply confused about it.  It will only be PD
> 75 years after your death (or something like that).

If I remember correctly, if he is living in the U.S.A. and registers a
specific work with the U.S. copyright office as being released by him
into the public domain, then the work will indeed be in the public
domain within the U.S.A.  We need to bother with more than the U.S.A.,
however, and one can only register specific works which means it is not
possible to register them before they are even created.

-- 
David Kastrup




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 15:17:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 10:17:58 2015
Received: from localhost ([127.0.0.1]:40963 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9bK1-0003zy-Kl
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 10:17:57 -0500
Received: from chene.dit.umontreal.ca ([132.204.246.20]:49110)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1Y9bJy-0003zo-Qh
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 10:17:55 -0500
Received: from pastel.home (lechon.iro.umontreal.ca [132.204.27.242])
 by chene.dit.umontreal.ca (8.14.1/8.14.1) with ESMTP id t09FHqg6012793;
 Fri, 9 Jan 2015 10:17:52 -0500
Received: by pastel.home (Postfix, from userid 20848)
 id 4B645CCF; Fri,  9 Jan 2015 10:17:52 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: Copyright issue
Message-ID: <jwvmw5s0yu5.fsf-monnier+emacsbugs@HIDDEN>
References: <jwv4ms03cj3.fsf-monnier+emacsbugs@HIDDEN>
 <quFzgVhBDz7zhUp0lS56OK32kQQjWsi4jSGZeullV6K@local>
 <iKceXlDJbawOYczzAAZidbwV0Sq68CGaBNzyymlTMR2@local>
 <1s36JQvcdkW4qq4Xkzun5CT6LeDiZZWuaTNWhNiTLcd@local>
Date: Fri, 09 Jan 2015 10:17:52 -0500
In-Reply-To: <1s36JQvcdkW4qq4Xkzun5CT6LeDiZZWuaTNWhNiTLcd@local> (Kelly Dean's
 message of "Fri, 09 Jan 2015 06:59:54 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0
X-NAI-Spam-Rules: 1 Rules triggered
	RV5181=0
X-NAI-Spam-Version: 2.3.0.9393 : core <5181> : inlines <1739> : streams
 <1370605> : uri <1841833>
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 19479
Cc: emacs-devel@HIDDEN, 19479 <at> debbugs.gnu.org, assign@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

> 1. My code is PD. (In case the FSF disputes this fact, I'm attaching
>    a signed document to establish it.)

It can't be PD.  You're simply confused about it.  It will only be PD 75
years after your death (or something like that).  Until then, all you
can do is sign paperworks, and currently for Emacs contributions we
require this paperwork to be a copyright assignment rather than
a disclaimer.


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 07:00:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 09 02:00:49 2015
Received: from localhost ([127.0.0.1]:40641 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9TYv-0006wF-0e
	for submit <at> debbugs.gnu.org; Fri, 09 Jan 2015 02:00:49 -0500
Received: from relay5-d.mail.gandi.net ([217.70.183.197]:36959)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y9TYs-0006w6-By
 for 19479 <at> debbugs.gnu.org; Fri, 09 Jan 2015 02:00:47 -0500
Received: from mfilter13-d.gandi.net (mfilter13-d.gandi.net [217.70.178.141])
 by relay5-d.mail.gandi.net (Postfix) with ESMTP id 7B22C41C089;
 Fri,  9 Jan 2015 08:00:44 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter13-d.gandi.net
X-Amavis-Alert: BAD HEADER SECTION, Header field occurs more than once: "Cc"
 occurs 3 times
Received: from relay5-d.mail.gandi.net ([217.70.183.197])
 by mfilter13-d.gandi.net (mfilter13-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id nNZLtv+zkGJT; Fri,  9 Jan 2015 08:00:43 +0100 (CET)
X-Originating-IP: 162.248.99.114
Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
 [162.248.99.114]) (Authenticated sender: kelly@HIDDEN)
 by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 84AB241C075;
 Fri,  9 Jan 2015 08:00:40 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Copyright issue (was: Re: bug#19479: Package manager vulnerable)
In-Reply-To: <jwv4ms03cj3.fsf-monnier+emacsbugs@HIDDEN>
References: <jwv4ms03cj3.fsf-monnier+emacsbugs@HIDDEN>
 <quFzgVhBDz7zhUp0lS56OK32kQQjWsi4jSGZeullV6K@local>
 <iKceXlDJbawOYczzAAZidbwV0Sq68CGaBNzyymlTMR2@local>
Date: Fri, 09 Jan 2015 06:59:54 +0000
Message-ID: <1s36JQvcdkW4qq4Xkzun5CT6LeDiZZWuaTNWhNiTLcd@local>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: emacs-devel@HIDDEN, 19479 <at> debbugs.gnu.org, assign@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

--=-=-=
Content-Type: text/plain

Stefan Monnier wrote:
>>> You're one of the very rare oddballs who can't
>>> be bothered to sign a trivial document to get this out of the way
>> That's not true. I offered to sign a document saying my work is PD.
>
> I didn't mean "a trivial document" in the sense "any trivial document",
> but rather "the particular trivial document that everybody else signed".

The FSF doesn't have just one document for contributors; it has multiples, three of which I linked to in my previous message, and at least two more that are for assignment instead of disclaimer (one for only past contributions, and one for past and future contributions).

More than two years ago, I asked the copyright clerk to send me a disclaimer form to sign. He refused. This is the _only_ reason that the FSF doesn't already have a disclaimer on file for me.

If I sign an assignment document (i.e. saying that I own intellectual property for my work and that I'm assigning that ownership to the FSF), then I would just be committing perjury, because I don't own PD works. Nothing I sign can remove anything from the public domain.

Again, please don't conflate two separate issues:
0. The FSF is refusing new PD code in Emacs. (I would be happy to learn that I'm mistaken about this.)
1. My code is PD. (In case the FSF disputes this fact, I'm attaching a signed document to establish it.)

Because the clerk refused to send me anything to sign that would establish #1 to the FSF's satisfaction, today I printed, signed, and scanned the attached document based on the disclaimer forms the FSF has published, to make it abundantly clear that my work is PD and that the FSF is free to use my work with no legal restrictions whatsoever.

I'm also CCing it to assign@HIDDEN, even though at this point I assume the clerk will come up with some excuse to reject it.

If the clerk feels this doesn't make #1 clear enough, then please tell me what needs to change. Even better, send me the exact disclaimer form you want me to sign, which I asked for in the first place.

I repeat: nothing I sign can remove anything from the public domain. So nothing I sign can assign to the FSF ownership of my work; if assignment is what the FSF insists on, then it's asking for the impossible.

The attached document is to establish #1 to the FSF's satisfaction. The FSF alone has the ability to solve #0; it has nothing to do with me.

Here's the text of the attached document:

This document is derived from the following sources:
http://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/disclaim.manual
http://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/disclaim.program

I, Kelly Dean, American citizen and resident, hereby disclaim all patent, copyright, and all other forms of intellectual property ownership of and interest in all of my patches, software manuals, software programs, source code, documentation, revisions thereof, and all other works, past, present, and future, that I sent or will send to the emacs-devel@HIDDEN or bug-gnu-emacs@HIDDEN mailing lists, to 19479 <at> debbugs.gnu.org, to any other mailing list or email address at gnu.org or any subdomain thereof, or to any developer or maintainer of GNU Emacs or any other GNU software, from my previous (no longer active) email address of kellydeanch@HIDDEN, my current email address of kelly@HIDDEN, or any other email address.

I affirm that I have no other proprietary interest that would undermine this release, and will do nothing to undermine it in the future. I represent that all of the aforementioned works are my own and not a copy of someone else's work, except where sources are cited. Patches include citations and partial copies of the works to which the patches apply.

I created all of the works exclusively on my own time. They are not works made for hire, and there's no educational institution, employer, or any other organization or person who owns them. I do not have any agreement with any person or organization saying he or it owns programs I write, and I did not have any such agreement when I created any of the aforementioned works.

All of the works are permanently and irrevocably in the public domain.

Kelly Dean
kelly@HIDDEN
January 8, 2015


--=-=-=
Content-Type: application/pdf
Content-Disposition: attachment; filename=gnu-disclaimer.pdf
Content-Transfer-Encoding: base64

JVBERi0xLjQKJeLjz9MKMSAwIG9iago8PAovQ3JlYXRpb25EYXRlIChEOjIwMTUwMTA5MDIwODU4
LTA3JzAwJykKL01vZERhdGUgKEQ6MjAxNTAxMDkwMjA4NTgtMDcnMDAnKQovQ3JlYXRvciAoWGVy
b3ggQ29sb3IgNTUwKQovUHJvZHVjZXIgKFhlcm94IENvbG9yIDU1MCkKPj4KZW5kb2JqCjIzIDAg
b2JqCjw8Ci9UeXBlIC9YT2JqZWN0Ci9TdWJ0eXBlIC9JbWFnZQovV2lkdGggMjU1MAovSGVpZ2h0
IDMzMDAKL0JpdHNQZXJDb21wb25lbnQgMQovQ29sb3JTcGFjZSAvRGV2aWNlR3JheQovRmlsdGVy
IC9KQklHMkRlY29kZQovTGVuZ3RoIDI0IDAgUgo+PgpzdHJlYW0KAAAAADABAQAAABMAAAn2AAAM
5AAALiMAAC4jAAAAAAAAASYBAf////8AAAn2AAAM5AAAAAAAAAAAAAAD//3/Av7+/qwB/3HMWoSy
Ej1//nRoJnPrc4jleRXSfNbBi84EevLQDOrhqsd2m722HQZBMkCGMU6tBUCV4INgciqZ++0s/zkA
8uwB6XzxGzyJVZ/zsdbIM1D65cIjKZPKRpX44sf/CuE8H156A+vdraVPVsJf8o2KvsTZbJg26bo4
iw1VH6DXsNpUnR6y2Z4rQhMnEBOKVUKiwAFNZ04IBGV0mVlYgUZ4rjj05IVAbfmxuDfo1/9W1RqY
76PPDDYKVdJ6JBR2HX+wEtEU4kgx1i/Az+lFPL4fIPzSf3WAyRaX8XUze3ciWdui0u5UH59seK8d
SGPRualdx/UiyDhsKEkVAPne+s7+kXcslvtoKS3cLhHgMPeF9anz1VxqATJfaBQ2FNeSX/BUJ4mD
8ft8oqWAhZQCjS6ozjIwVYKl/NbaH4rfjrqJFmaxA8R39rc9xWtacm4Ni7usUShuux48pG7AoZP4
9pkDQ+4e3BLltTlpzO+trKJfrCnJUMU24JBAH5ZeoDlmQLPJyV3hpfFYKDVH9L6zmfdLvIGTs030
zgio0wWpIU9caXvTEzJr25+17E4Mh39AE+HBsaemYqCv4L/wfUzhJWn/ADfMPgWJjTrsqdhXnCER
kIoibEVMc4wKHHrUWzjkkMsjusjTcoE+RMsrgiQbZhrBSgf9dzXCkXCeu4Ye6JeYquWTfp8NVh5D
hHPVwEoaxzxNbH6B9QbV+wpdW6Vj/B9dKBmmmI5SIhbTxStD21nhtlcSfi5Ik2LXP+ufQtItM5B+
Wv8FbYgJySGCN3488+kopcMKeRIfCwbEb9draICHsSAm/H7kWXBsSpnycdn5nLd5jvaEjM4kpMIm
fykjValx5JKaT+RcoTKI9BVjDEbDkOJOuWeAtIZm/e+LBZAoYB8jpmoR2+jZP9vDfmoE+Bxx2MGu
sDwm+qNezGmL9RWImZCfrRPKMbZPMfMIvQFeeAJoZ6QhMU7yg9pmLAz19SkW7n0ssjt0bbuYgx/5
mGfajGqYE5FeQ4nL3lsoaWMe0MQgwMMGoOxToY2wq8s0uQKb903gpe6GoFN2TeMhyvSPABZFqqe5
0nMFB84Ybj9zWcNlCuguQC04kjC4WFYgRbm//PwQCKizVx7/QPPtXpMT7ZjK+dXzDCWrVQ+gijGE
O8W7APH11B+x7xp8mavYaRpvnb6efDGndbAToBghNI1x6ocebPB5P76lTy6TErZZosWwkshbs01D
FYm+s7x0cde/kdJ70Pb6I33xHiBW4tPK8GULeCVVGGQLbagd8N9IsIVKwb14wiTUl2X35MUK6F18
dRLbJsuwBtTQh1EwudYSrHouqJxw8ZQ+rimPeWidmE2epVq0iirVEODRbtKbBkoWGrVn8xnXr8Ag
I4lG+wp3A9Z5ULZ1BLbjhUDZzZUkT/2UtovIVN5/ggU+3XUTIiHwjFOKIEyfckhzD9JAfb+k2cTu
dHLnSUEhn3ez19S3eXDF/0IK5svbqWgHnzdpzzWMGZWrn9ugxRRLkqZuyiuPFJCCazyyed0p9B4q
h6zRf0QaFALllnbNCtu481Jy65gaYNwEj26/5b/WTPTSFcuZv1iWZ7fW3ryuO9x70V3rqMnrqmTL
iXP7bnmS7ukSvrke58ETThtr+CzzCTRNSssB4B/AmctDrvndnel1OQk5ttKKzblA9EC0u1Bw1ys5
afMwXlzk4qn7NA70nYEPy9Dw63QwJH5WyYrPNP9ibWk8pHbCGXzbcIqiK8YI/2htbXv9JGMWYNVJ
moCkxK08uBt8bi4GoOZTNFFtB4SIPPcFKjnFHGAprepSrJZQCtcoKjJ0gYuXKw5OPA0tLYGM3K82
LZqaROgKxl/JaXoMdFqj4fiuUK4RHBF1DdRAO41BL4EIVcJe+etomU0NjMrQfsTlFgYRlmk7d2vw
tXNrJWEDvVqPES/3I8os988V06gDdzXQPrZCg26RRZMb9lmfEB031v27mEcLEZWScRoVyKqJKBlx
sa4WsivIHFR6qr0k2X33I4bNaIndxxbe8H3iRCYkHMy7TsRmkq+BxvZa/b1ZcKebPLVurQG4hmlz
4MPQgh3MmDC5+JoNaa3O0W3y9zFhP90ERLPAois1l3qs85aouFoH/wToSZ/TgehoZdT0dytniH7N
7VOQzTqizHMSR6fHPHwTvDww5NlraxHq6DiA7bLHWPthErTUh88YtCclL/x9NyfIBKnkGXG3oY0b
yO+zIRO0/x51WXFG2v8rN6xlZyAYcXELelkqyNerxgYD/C6GmHBqyUm0/CXHwAlgVCkOXD1HqnF6
XsFJpKEneLejyy5Z015CoxNS4MrfuH/701fDR0VCu0gQTHTp00ZfHwanlsKQ7mAPxsm6wrA0WW4U
mdB/5k38N9FlzpXydICDxLk1jHYWbUukDITcxc8fsrbQiDgUU1GdQyh/B5x0Vw6m+eTe/EA7Kgnh
K37nz9ZcUMNtnuZKnvGTTFQaNuEiMHRptrXqxiH28WweGv9w9ZmZbiqaiflz+K+jslapUUlW2xv6
nI3CWpoMxK4BiurGFzG/eX8mwaRKd+1/BOrdHtcgU/t/ErbM8w2z/yiIQqEziGs4K0dTOOIiYx2z
u0duCy63eI2gq+RkVZZaXNy4i9F0nZ+SnFf+lag96lWZrJ0OvGHzRzEarKWYPTFKybBlq3bw0weN
st4JYQV9WNflLAFEXUUw3nxVwvLihwrYLQm1eBmEy+Dvnckk1fLiTi4FV3zgILQUytpLOsInUwAM
ceYNWyxvGqvnjOB8a99J+8q+7u0CxEImbC8ntxFMzM0/1KGTHprjAZ8yrCYoZsHhCd79JColgYYQ
0q3lAKH0ahFzKVcZC4nKz+CfIMZeiEh5vlNyq03JSJeS7rraTg4Vo7pYhpRrDx+EQSGG8/jxhTSP
xovzS+EMFPaWz7pab5hU5+RV1XvzakuCjydE/zRR9ZVC6vfBofs+gy8Z3S7hxa4dxoVnFat6XWGg
6C2/j0Ktxx3+dNWI2J7qGvUn5+pnXOtQjUAI1J1SSa+V6fgwKMCpQKkmphvL+rr9F+typiNgl81l
aMsKGd9VevrVnxrBB/3cjpniGekGTpLJOYGA/X2D7Uqr2W1Pj7VdygYzjcJAXfN0ezCQ8PHbC7uA
UtpfYwyCcepPn/I7QdQI7hTJSOr+3U+fQNgjWv2X9pLa0fEi1qPktfGkpg9iT+w+Ee51NmbUdCxa
cJmz20dcyUewE0izPJ9RJdJtJzlhgYes0W36CSTze4bVgev38DDuCyy78tWOwVpDpHwPhfpoBh6J
5nYqYi/4yYMW0yCbeb6Q8ZoaWVJP2nNxL8CpkpjE3xAfajJzaatuzkrZbi/8rIwrI34onz8j+uxZ
R04b6TVC3fH571qWOzvWBi5UUlLOwAO/WuTRUM3SVJGPbak9G/4cpHVdOqZYl4laBEPCb3y+WE4c
UcmwWMH+0tKOjNhGCS1HhZ4XwxYc6AWiqQ8ZOAZOoWY84c64IMrT1t4+oO440CBmApCcjwbmewH4
w/RK2sz9/Ke9RiUbv2czIWdesczLhTXfPY5k0j46hcEF/t53sAZHnndBEJeof+neXf9bWNzYvV+w
IKY4yiU5IBfTmPVBAnkS0PNHOtMC/RMIb7nzbxASzlKcwvX1oMdE9F0vFz/7XmletEatNapK82ww
tPcEcANvItnROdoccSHL7HVe6Z/t5VlebkTuUUZyjaryrYEcjWyz02kIPxeCXCcflJxAknyjHIH6
l1OyibCzKuLMHOhoCS/GONJt9XxuZ5Lc+VXMaaL/QeRxBgImC5TMqU4rHJrCQbjHy0zRsd/KVWfA
t65p4Tt4T8A1nrsPjqA8C0yoRd0wRGTNrXfQTq45ovL8p6L1BxdEc88ydj1hyU+KcmW6jcjjWkDQ
WtXmdub9zy0ajHpxDVLUbcl4s7AaSKdADoyNjKCXsQrpl1ykNg31+wnUfE23l9swa+ZPmPLKWYzg
HDWWG7TMlsUYzwuOqToZgItcoruXPrEv8f8E2GsK8lnME0yt7on/REYFBL0AhAJv9Ql3ygLCenOd
8pFT6imzjs2w5SKAEgekiRdFhO467IHpyjMAv81qYmSUC4Km0jE/xw4ce4LHNeATBKwPkJjziRiu
MhIDKNJrDpzFkAM0nBtZCdn7kfOGiydO3R7FJGeOPI1F6KGFC0PP0NF84Kptdo7W6BCGo3OJlCxC
jbFVr/N5IxMeJMAkHSVl1JZb46qn1ulmyhEVezSMt9q4TJlP3HrNLUcMdXtAbCixjTOwIiQg5ydy
LOvIg9MFa3ONLTmKPiUFgeLCQU6Ep6FS4tu+Z4rR8P4kQUG/CVSyIVQ1ANnki6DvTLJ9cM0jb4mA
qJCOZlQEDjR7NKNhtGQDKQOuNhszt1Z0aS3ITEfD3EEGTj43yLlde1kEfBx4NHtxgBHt3nLO6N4W
EFnN+JL/bihfnqo6I5NTV35hUUQAgv6fnb7DeNvU0n5/7Qlffy3hW3WWbUU2mduSFNC7nRCbSP9+
8oWfTlqTXyhbFFtM8qHSWpyGdCK/6gLLZJT7LyxMq56LfYLvVIIGBsSo8ms/Wzjr9gNMsmAWOpVw
Bj9rtmXhA+5fW7xKHPMRPQRsCPwGJ0cqh1DxQagPeBgeGYItoC9Wf+cfDuwuAKEPMezzHfF6ez6g
9r2XXMwXM9wUoShllP4iUYIoTblLke+oTlMjahKMEvg76fmzw6sTZE8xuI7nlipE2mQIPinIiYBW
83vwuvWcuKiTr+ncAhIdZPay33preDsSfUU5SKn2dn4azUIot+ofZ5dnhoJWDjB1sg/YsI2mYU37
ZOwAYkf3gbjKdyL197p60U4gpexKIXh9dQg27MCRGY0e4pmLzB8kRRAjUGbK/29JU3L/KzICCrZq
TJIhSuVFwHeylIcaE71DZUBtGX0zy857XoBqZmrQBq9OIzMM7kki6ULqcMRWrVjSo/m16gz/g6EZ
gxy3b55T1CK3zVKgv7f/bsip8jHHd8WMrwHR/AMXCyrg+MOtC5E+CBl7O6R267O/tAEmO1O7LE5g
URBnkBlBA4fXAV6RAF5g5onxVa35RTT0tCpJE4n4N/oRJlXyjEyx4VW28Y5MItlZkb3fObf/dynQ
7zzZDkbiuhLbn+duZWhCXdQILvbChTwfSxhpQVy4I3zaUuaAITzStWR0KL3KgqQRM8nLWNxqGLn4
UFIVT93ZwQgLJzfAm9NrVfWeayz7+gqg9J3/Pkd639phnG7rAHGQFpwwJqvIcWNDZuuXt4hEpcox
P4J5o3HvDR9Jt0vaayzlke+ZBFsosVML6L+44xGVnj0JHY0X8hyeRcChm5ShTw4NjJb7KMnLZQsx
Hwf7yywbORmTWKvW/ogPm0MkRc8MdMt6rga2duuQu8FnGE5dOJ0HNcmZ9kqW9etgx91tN66pHFU3
xMY/Gnsu9Z2vVIwDt3WnUYsk5ha81oWd7+nEuo5SiwhVaYkJLUkuFJZUTNL1btEsLYhkbI4DtxOJ
26iFl7Da+7AZi9+9pg24rkHsCUUqb+NCt9i6u9gXNdmWg39K13TQJSPiaBZR/zwfHHOe9uKaJwow
gWHL+9Txi2FC3US0tGiIsb0uq9rOXAUdJD1K3PcRCQXcee71eBRnQB13DJWM9oGq4+FxTARY1Zy/
w9RHdPJfBSY/rpLKx+1fej5/bxJeG9eko93CnR+tA7okRyVqozuR2cvW2cvEWpv+Ads+oQfy4aB8
nibjFJywaMHDF45E5LnldQBmM7fmbKc87oQ1y5scHNLLce7+ioPSL5kOwQsgbht3ldU9HIAnm8tL
++POAFNkSgZ5LaZDf15rAhjCREHbERnQSzpLfZmR8cOrks3ZB1OS1yrNQ+bk+oezaP6dqhTNghaP
g9hz4LdU5CcRUH2+gNc1mX4a5st5JKMe/2fcQypCKvMqSQ4fAwCzHERy10xh/2PBOh3SAL1S2D/3
V4lqeNLicoTYGQrecyiOA4pPGD13J5j3Hbh0n1IIVRwNMrAzIkT1G00VzCHELNa9I+BPeTiJJM7H
gx3t8BXE1dkeDPv0zcqoC9axGUmAdjf8YSvVNJn8bh6aYIpANQZh1DYCNgn/KZfAY4Ka45acJ5Jk
wo9xnK3gWSaybsivKWjNn8nCps/APJCUnfxanzHdEkAXpj3t78swZNVrQaC886UsR7U+QOdKndDS
Y3teMWZA9ORSNV5LnRPHbneBoVrEcIhg1LVKkkxHppe4qxxHfVxMVYo8aOcHgGU1+jikS3fje4MV
8wV6K8lCLSj5tn5gyvTrxbnxuqtQM9QDlwU9FXC5ILdTWQt7lf8gW4WTWehBlVe8rGYdmWXeXyPz
3oDjXIzNO1E0jrP3ELa1vMvYgqUJR+sawEe1HA/ExwE0aiZE81ycjgALz/oM8anKb0WLRXrfT/Ju
1ViWZPLi5VWUYkF9VsBw4IRgLHTbvgmi/dTYaH+htuNHQvqPixeDNlS5diDki4nhzIqQKT16e9n3
wJIhzXWAmoTLxQFMiznBscNcMSYr20vLMOK4BpJ7aFW7XRw9ruNTKJ4gs5OWpAq3uAU5OaC3M7K6
OqnRyWNfgWSFj6bg+lkva1XXaZN/WrGw0ZM+Xn1bUQOGFFmtn5mrxZwdMeWZBPDYzRcyCUbY9u08
BrSBc9U1ZZk0mhvxbIcXhvrVvY8R3OnRMgl0MA+8rEyxm5s8/LBkKavXy1DOSuEEAj8TZzrQ5lGo
ZUP0t3U84yjCWp49vbATcVcUGPM0FC9v7R6aLawj9Box5CKjUfwoYrmAWdYeWImLQL3xrKl5uO4T
iP7wCrUneKro8XTx4a5ckn2fQZ0COHEHomM4JiKqXWxoUdjlXs/gubGlTvMy4rCcOBS1ecfqUh3J
nIIJhVIjfpBArmHuZNhMQYmOBlLP58uzDBejdQpJMSYqO36PIUeg+bm1n6vGbwU9HVxiGikVOIgE
bhsECBPW50ZKLvZ0sqJxg13uSHjKVOzNaV2Z8qMWRraWe5IS9pBGJ0nV2QsRJW4iQWBi+M80wiQi
WywUIkH/A17SzxmIXlpEWeBiG8SCGYYg6lJ7YVbBXAs1k32yM0C2TJZOsMQiieSZV5Z//hAUusUh
c7qGz5iaKJfBFn4Z29/2kEzWUd1BPecnYjwZtjcrNeVfr283XiFuSDycqmyg/IlsgCVl3s+LGQqw
ACt9T96MpsLqzH6yObwZUNSszddIW5lYes17C7bQHR/IsluEdoWt2n5IavwQL9SB3gpxqQ3pjYeT
wXiI9C7pdiHwo101qT48GPV/6PrFMdX+hWxI+HbgpOzh46Bea5mlViacLkdNIR3Wfs9YaOGQhCAa
w5JHbfCHKwkVTq9EuVPhXHo2hPVUiOnoTvRqKhfhHVBUF2ElZwTc2LufoplWLHM2oaKJXav/HRap
jUSBsZ4nnOhtIxycGMNm+o8FQjPNb/F623JXwAejzLDtdokzCB3oJ56ncKOF3FqlQEvRW3RRYOx0
7lra3HxVAHmb537QtRw9mI5ZgqRLr2IcDuabO9YRrSQ0I8xhuJd9bilACA0eaRTa2q33OV7+S8GQ
nxQCGUL2fY6m/ygHLGvOGJwdJ8Pei5vNri3T1twUM9YA7newFreiAjq6Y612Syhm3RHQoBUXZpaX
tKw/Nz0GcqVjbSppQ3Nu4a0jFSutd/HeInxE7XovjGlBBNUw5EMs8N9uDv13OngJwQ+aSg2nNejx
KcgigAE6mQZ4lEaG/wpoSrldO5SOOtSptUOyVnUz3UNgUO+mETK4fyccRr65ogRqJsHf03gj3blZ
7i3WhsJWl/vBNar5I4xnx46Fr0eiLv5chYk30GwiTEQ4T2gY28LHNqRCf0F2paED5yjU0TWqhoxC
jC5tJEUg1+B00T90MmxQNLbxz/nktD9Tcktmxs2Z+woOZZSEwJrvJpngpQlkUo5POgmzcen8rGGc
aYXjxDnvnE5GlFRe0pOY/QHVlPTrjnerOItyE/wEfGzgH1SRNQYL6E2B6Femh3s6qapMd/uNF0NW
bDo1Xg9rlogbcm3c7ATnPNiQLTOZn2lUoAtMX2kZqYhk0e8ZHtyB9JyOGmwqCauZZtVTUwCtE6QS
VSRL8d/oJvovLgMu1+B4K/gWlQKIadsH1VIVLMFYMy0xMsXnAt502GzIk/zdwfq1NuNEbVsQ6QDD
vNvSCO5hUdGjqAxZAuPwplGVDNwxMs+Tmb0g7j4VQpTZ7Rft5SpL4RK150PQZuFiS4wsQsfsjgHW
ahi8sfDu0wS+jjYl9/8FqgvFGMGd/N/2wHV2Qpzq9WUASNhXthFNFTx99Bf6wsZ9AeJcGRzDgal9
A1Ds+pVUEEM93KBvbiJu5lXgWf4RVFibIVsjCsk+6et9q9noQ4QHve7Fiq5eiRFkFC4yBl0nownd
H+bdeBKo/ylsNon25Hosx+NDIKLlePtglFv2jea651n8pzk5+p7XigKfFIrMmGlY1hf9ZarUQyeA
hJLPcdoHVmrjelMMpzwyXO8uhj2YN/iyYNHXqGSE0OeNduObCn688MVeSVMr1E3wuBYEeNcdx3Iu
eCAvWKD50taYSM2lRHGbSufu+USbqaYw9QiaWcxzzuBqeLXfZ9SgzA1SXHxGntqAzRsopQmqy5Yg
rdhgtfP5bwxZ6GBojkLD7/r6A1jT/U3ujPQ0wN1ZiD5rG0gr+LFURRi6Ms48eMpFQJtYBHpNx8lY
0qPEesiuyG/BFxQMczPVQSZr7OHIATkr96APHSuccpKLpZ/lQwEefZwi8yGpIn80x2pbuwdefJbS
P7ZqGeezd1WJcDqzYCZmlernIUJY5qimQXd1DrZGvaisVw8QWDBEzBrxAdzOBF2C40eV7K/fP1j0
RfkyVwchwfUQ9jCPGDXj9TFIY24iKPHMwjpDfW4O3zo8FnPLC9Xynjz1e4OX5wF7lBUpt7W7Lm+J
IDr47kOuRRxNltEeZ0auR8HQKptiYMCLF4ivKJam5f7ly6O3P19boAZWH9CkuBpUs76v6snR6LrG
lW0Jygr7dDurnPw+V/FSvQN+dYubz5q6jM9l0G6AezhpmaN8THPnoChXLXESAFmZ/PHFDGKXA0/T
63C46L2xH8dhxqRGBHkHU6S9rcHpC54hDpOmPwfuYsEDFDsqVdjIY0ek0EAAUknZUUpq0qn4pg02
jAmpBkg+m50Gu8B4CSpcr47aC87L0q6q+g9bDrvaoqSoVK0MseCvfYLn25bfnNjMbmNR9Sx0o/jp
3BaHZRbfQAdxROAnP/dEpvaPNSxymxqEn2gfrdWp2Q8bHulnatouwiPSUfKOGTOR3HWASNHifbpc
B221j6+Hn78K2N6sqenJpdRcTrS+z1hasjOJa67HeJp+nH3vdJKvTTzZCeMrI5MWmE1FEEDoWrPI
p4j77XeHKV4BIKLc6qJiBTvJApOXqxcQjhRF2uRPo/YKgU3e/njWxMvLsz9Gz4Cpv+eikVppYN7q
26xEFyo/FD7c7KMzJRXsPIWQOxTlsey6YL6f4Slo0wb+F+tSBtxb+/8867YT6ES71V5N00/xfbPo
NnQaiWubc0hBgf4RkPcqKIxV9is223VnP7rcCvLBGYLmop3f7m+cjQ4ScKVg82otJ/rGjqgnujx1
o9rSbj1mbcthoOiVCVV+NT6MuH6WDSiEujKcLFm1RB2hrB+TNfOQL6acIEmVyifk48aW7QuWJj2+
JAbw/DWnS0Rtde1YM7/tBLOraR/lVBQ8/1+wcUbgpT61wHVaiUO0cFlPNjIEZ3todAMWumfAAqtw
fKCBEbeQHBngcHejMlvvb9LWd20wUbYfF45TzQWei8EXhNxyv/VS1xgxPDdUdeBbJKOg2qlu7w8i
OdNhFKsfuStAmx10Lcdiq9jmXE5DlpjXxfHIaSE0MxoTstvaO7ybZw9jXUy2ofHeMt+9W1d6ZHL/
E1Ymph1gnOVWyUMXVIqMOJQKvGJu/WH8ugyUGuCYIOWKLe4q28ffgt9bxV4KUSYf/fDbjZoHIl8M
WRCf5mNCEcwWD6O61R0uhFmTKrBXK+rirVo0Hs4mXXQLkLW7VJjr05PBW15jW3khwUyA3/xy21rX
4cxfKq7oSugCwnBkfBk1rJKngFOMG1i8UwtgA8A8G55A+3FezRUu3UEoXogEwyINaDVMBWhA2EtP
gE4EKNdkWQoArFc20+LlZSkkSGYmZL3wIADY9f2Z6QcCvWpfryfO2eW22ME5JgEbBKqp2siurBPL
SPhLMdC/kzXB1RdqFtHsPB/cIYK0fy66onnnPaafcCJMWi/5uHQNRa1KzEeIjDKx526zdB4RpEU+
4F2ck3HeLr0udidMzQNwKkh94cEPV/YHOlWn1THT4XKJnZ/WqzkG4et0FvrTYBYAKlDbh2VP/qm1
mpcE0e6Ru6xmNuTSCRTpeko4cfxu++wI6Dulfcm/7DlX5Tl2qs5HKsZGMB9CsZc+sGfeKtZFOsV3
pU3pgX4YLX3/TMqczm/mTety8xLY7TdKQkhSz26Yjozwb8Splt5hl4JfUg+QRDrvvPMIfFUx74Ix
op5V4Hcvxf9F3ReEkF/O2VXEEVVuvG4JKybQK9poEqd7c/zuWqiKU0VpmlLC71tX7GDO31i/VqIt
w/vR7eqZtzDuIYIfWCHCo336gNCK1xvXZ/UHDLBpZjw404Ccgma13os9m04Zh5XyeMaFJ2zRdw1c
KVcLnIuYP+pTBeWGNMxy5OZORCi7CTzMUXWvK5W/S9CrSdPXb+r9CdQLdrdhqPsVvQor4fkLm14Q
QM12uM5f509dl5DxJK+uQJK0x6yVvZd00KkXE1RTTPLQgzo2yLBpFF8jnEnhdBUPJuhl3r5wkOKa
d4PtCPs3Kh+8NTpgSBVHjdBpHtqMnYG7hrxkuozGjgNxS71mMxtcmR2UGkBE7kgWBPA9bS6FI9t+
Rl2QzWDdj1yR+mvaV79kfch2zHsroWUO+G77S+jBALiSXyJ6E7D0fLnnQHZ3Pl7/Laje1sMzlAOE
+/1PBy7OhztpZ1XQtBw4qaRtn67tjPwBdmWdNhi2VpYhk2qXm/o3m8U/iIYukbsc1nT/OcdOTNZ0
p3Z9DQP2unWKapJQCiOmbxwgB97IiYyOtPAEKYUg7VmNRetJjMwpj8tZGJgrsHo8kbF93GZ7o/GL
vMStdHfKVCZNVm0Del+OnZDJ3CB/nyn7piBs04Mrz08uGO3qd/l7SEKgxhK2ZqpJhbBxTgGknLUk
ANfrEumygITowXb/dq6uNJBfBiht6RJmV0m1fiGruTWSmStUnyKvEAuM45WtzAAW/YS+a/zj1hnj
LwhW4Enbytlzrckkn1/nmhvfawrsLU8KTF3YpWQFl0tt0ncPe9L7QNL0Umt33Wf0IlOoJlqWu5qm
bXII/yEQXncCzwHpMTVAeUMPgjIx6m74/Er7w38Mxk2cqpaqvQ295wwmuSi1KzBHXfOOgsTqJ6jw
aLxNFXadc4FeIe1EODSd0NP1sj5S15FZ0QDyQf541oU0vTvZy9HT9vorfd52xZXhVAgu6GlAVTqq
gk2fnKQUptl/V+pbP097gZNaBN3wCKNwAZ/ojtmxZob6hsElwFFj+S1plzV1n1mCca+0iVSHycSk
B9035eftHpPolZcWMadVhzxDqnhugYWIRo/v3+vVtsEg+py+RvneynHA5SFrN+Pim08QW5qI6ITU
U+MQZ43CkSSEX1I/hbaOaKFKa89qielhF0unJ6V+PypfuOVsvxcZcJl9r1PqANTXYzGcp0qUzzTU
H2auNzVZjr8t/IylUqkguGDS5CdoKIudhX0dFbJ3ODvKAnHYl0DL49mz06EqFvCNBxoX+mQ2LmKT
QcMKMczqfqkbkFRDSt9UyHKDkM3kPWJR0SBQGZHMJjPF7Y7Kb+DdrxBHGwmx6oGFy13P44WD/qWk
aBkxvmaFzxa59I2S4pxTzfDBNs54aTQlaU55XYCsTX6F2xT+qeAmtnMVmPh1CG0/Ae+eJOvMP6aH
bydgg0G4mbzyS7jXA/QrtIFXR6Hhti6Wh/H5G1Vr/EMRMkllbyMfnMB5oGgLO6hJhWKlDs74Hktr
h9IYEAPv4Ve+23AIS3l1l7vyNpXvN5H8irb6159hL1fnMgjSf/d4qpVeU0xRn13Y3cotpo9jk1LQ
kpyUJuFixDY7BeZ1SBDq3FLlgV3DF4KMyrT1RyaKhy+s+QaW1TgFN9CNZbYCBZLCCZkg7G80p1cW
4/7uIVDLYsooN3zja9LFg38uBh/hKBgQomVgmyd/gRZMwd+bxuq40t0cYF1hS54hk79fV/8MXkZs
xLIJqcMN5yQ1odzLzmddV9fss3WjK+e3CJXldE9ZUc1YG79Ws+orftQjMm9ybeuUOrpjrsFklZfk
7+CeuLcDX/glG5R5brvj/zwgTCN2XexYvnkZDNDOKiUhyekT2HWDxF1pADTDJC8YetnLvCB/CqyR
KP3XVZGHtGy4wksfk/dNQrclvXWXwrnrZqiAx4RA7JDvQbJuRd82JLTOShkmfBj2mjDTBuVh4BTD
vkZHIq0KSBC3m/0xAb7/BfFxDiyIUYIWbB78moi66hTbdUXEt+J628xOapsgwpCitR+QXnB0AsTA
LUNSFX8mm1knbQ+XEbzT6pflTLCFzhwKpHYOsqgENEVSCmaNIVVP+iyJvqjvGL8b9Dqg1EnXkJrH
Bnr2ih8huewff04J4AwBxaf+voP2SmlaRQ1bMivx6dA8aNeVbWGtEiNZAoUUu+W+dPgDkQ/DRSMR
zEkrLpPfxKL67EYnnomkpYYMk49KxI+QWLrSPDTILEPDvx4aGCdbTN/RqaK/VfQ1KhKzECH3+Mfx
KNklItRNwNAfomkYfBwXO1kjZcpcsfU+5Xl0YWUNo/GmAuWXZqbRDXigI+owoLZBNiFkBjpt0kqi
+TSk0JXf1vLalTovtjlFOtz2Q3u3S+oVwxanYhahMXvph8w6gByV4D/q3HCA+mOFeLgSGaMqDlvJ
2i3HaJJPiiR67FWqFT5MVP9YreuL2pnB8k2MJyBmDk76bp5cFTzk3IJqOMhdNlzxZaOgKdtmt/ka
tFSGD1haVXpqKcYmFJu/uUIsjNK5c4wdUvSZvU1aBDU1xzE8G0HjKduRTS3IKfSU0tkar4P9WHBo
ptZoeuaB0JwbiCchl0/aWhhhoxOjtu9H9+agUzNgQEmW1diSzKJeSK8f8EMewi0k0gdNbQ4zYB2r
n5+kBrBfcuSYQbI9N+AH7hnjBi2s4YZGjFo6+jpQEKBBiWys2o3dP2Sqkv8Z8xoj37gLfONDxR82
na/kUK+Dw4gfDajhjPvzIidsrnHVYRExwsstINP4M17nU2L351HrTKjz9CNDn2tOKC+FJ4SdteE9
Vy5wS1Ou9oAiZJ/dV4OwjQTAUeXd57QcG4Pm+HAYrEETAXd4P3Ek8cR8hHyd1SJi4qbxsaMlMuPm
lq8/XoQrZ872ChKSWoWP2602CU0nMXUbS/VeZcveUeqLL5um9O0tMIekUbTMPqhyQUjKbsck1nIC
AKltpuVOvzw+Ptj9w6mup9qIW6UnSomlnnfTBIcv1lK+N6zOEYFjQibqPiX6IhmBYNmcxYnq+o6b
WC9QEjhKqf0qOBAVQt8wB4YFto9sVzRRHdiuG1so3bTK8h8YqiGfhpzr75O2ZlN6b7gdj1PvmZtQ
l9Jqs2h8h4BCsjjvJOp0LFlFbz2/IwTLwtEL8QH/blpBh+8ut4WY2QNjFupoS/eYa2PfxrmlLQNJ
qGqjzaeJhNsZUps/koi5AyLqF8MBgP3M+NHoE7Mbp6z2mQ5TUwVgbQAd5PGWcS02WiysvhI5HGmE
Bt7bMnRktg9DvyMb/CD0zVBPHC4da3+c3328B7fXsdJd0DLgTpibBPGVqrA6grvjp9ZYZ7c+Y/kG
LOyI+xBygxYsDKPWIMeqngCkyCjqsWQ0wDcDXAUKq5lFBIxqJPl40xwfXiv3XR08FOEWPmmPH+sK
vsj0c0a0/02TDlOpjAGAzi8yj2pzt1wMRajf0AGiNS4/ffa5k7N41SKCiq9TGMQybkJ40sHeFUN/
blRGdo6fO9mN0I3txqvv1pL2kryQcvYoA5D1jYO6HOObmeH9uzfSokj6F52ZjSLO5t1kKHhDQUtt
loCcdpfcPqqEEBxqGZthQ5YuDSHvnp26iSwTtAYhMIbvMNNNsdk7Eb5CbcJO8SCL6pF7P1TemqrC
Kvuc89Xv1T17Wg1G55WSgbn19ys40lzxaBhIRdEMSBj5zheovfcrANluSpbEFJKg2bFwWE8GZoCZ
6OaIBF1PYHddfSC65zx9smoZsJFI3+6LvkzQZxpDSVZJpekhjFl6nfAZ2NSU7lkr/E8U4JSb0/as
AF6tUtDWRGQZZJsix2UryvKK4AHR9/82v+SvN2nd5WqHCLmxicR7lI90WAPTYYWMWnxMRsXKlQoX
lEYbDPorPQZZScPuRmwCVj4t9dZOUG7qzLG6bklVI2x/5f10jawhXaNzhptyrUNvHCuzQhi5hE+H
Jv3tv5Fdvw2V7jbr2Bw/3xorZDF5NrbZSUK4sPoKbYZ1o9iBrrcsGOqic1QNTBIkWwZcFRxWVeRG
WTi4kj0fqESVEKaYArerJhzgyEC6thro1VqQEoE/qgy34dcTkgBD0pFtTXwCxn64LE6HS2cIaNlc
ME+q2CGNLeGdQMVMKzDIT6C0wPmpAAMwRCTlxz3jq2ZFd0vB/CQnGmng452I4/Pt/txbKjmOLlXX
9YTAfwgB9wTZ0QTubL1QY/YBdthb6SPt3fV+18ukyYCLBi/smoOsJFn2epCkzFVI/eWrZSNM9bz3
Cv78+AZQy7v8J3KgIa9eu/sqBmru+QTH9HXOu4hfvFrJODD4++vPEiXaFi+X90o1mzga0xvlm6fT
9GA7GEh81X4UnWWHu3AugqvvAJG25lrHIG1sFDv4hQNYa1SnVPUa6S6U0weDM/DtD/x6Iq/HCCKT
DhKyL3SzQaswfoxAsEMkH+9xyky0hfzcJd2Pm6X0wkazVXWDNDDDDqGr4BU4tOBY45nTSIunMlKt
RIYbGdJl49ovHY/QmoXIIiKlGneuqXEiI2BKIf3GULD9uR3i9fkX5ZhEo3Nf1Iti0Y0hxmZIukuO
6R6QrJ2TQXvmT45hBNzlcLyw4/4/cDSx/FeOSDy/Cerss+M52DukkJoxglK0kuGqXYWa4x1IJg/V
MnzQUi7wjqcR0r1+osFzs6iH/paTXObQd7PP/ixr3l/lrHTtPjSFM9yHs5y3Os5VDB1r0a9CTP8/
7W4RGzPXXYUITNgbHznOUveH4nWSBLqTMHz6l7KK8+mmKtamBueb2XjfIxCqxJq1rzHH3nMVoNT2
zMxtCsDY3k9MF/CpVTM0wOU7djfiKM9cgX4xacsLSOYjHPLQKmanhckt+wAudvL+5ER3hQGFWpbD
lMksDWdBoiHKaJIE+0temJNxxjwpZqp+/lDTJ86FUlANvx+X73gMoknikPPA9l/u9sLckicrEDr3
nhUej5hPCrIHM1V0rL9JTr/HSEULpLuvIMzFMTyaSMonEVVB1OWMuSDDLafx4MsiG20z8opCQ7Vx
zzplt5OivOpLD2ls0SyDPgvf8oRVg5YIaQHwv39YIuMgQbVYlcb+5VdqtN2uUYC8mTyIOPrrdvF7
XZfN/eSnVknYdCWX8HV71j0gPs3IOVzJCqJJKRuljqEnll4wC1Wc3QISb2sBaiPZNrG1gfCsMVfH
CcoZ9VeLGRn+eaKMKyj1qtSN9eXCGhRnOHdS9+BUqImvHnMqm+6l5+mrY0Tba6MyqLJ4flEawcl4
/T1UCFJ3CQLiXo/8QssYo4RoVuzn3yyNMocP5dHc1epswzoHfYQguQTyxIIbkWfcoYK7ETsris6B
FTe0dkQ4v4RKVzW4L5AqKXVTQUBhBQRA/F9ekCr8i82RYGBfeAGv1qGRlwqyC6OPybpJuSUa1Dcg
10r+HZyQzNXEL68MgRcQFrzCIclyJSWJUqiW9Dsus3vZkbvND6WC/a2afi4YcHRR95JoJRKriV0s
cKH76CZL+nke39vF1k3cv99HbRQvssTq43uRgN1PnlY9vqpoW+/GAtwZdHsdroH1O+n1oNojpRwZ
Q0K4U1JgK5lA9ZZAfkuXNhE5k3RE4exIfbKe7wbpM2orCccdsXDtzLZufIxCAU+2diUhy/djXIFh
2yA8ZYTqBIfyqHnk7mPQXviDwVCwHpC8R3t3hdN2HT7AEsaStbUBMpuk6EiOyfug3tESKTjHh3jm
NWzVHABGp0/dq/wQ5HEFxuBBaMRLRHfrvDGXY5TmEDvdArp/2BqKxmG5NjYZEi9UrjEOLYprbYsi
Y+CihrylMtTPhVlLrpEstAHL+Rt/2GiLa79nelIcpSGzuTbGr2OsyN00II7CheVD6FaFDHJ+JSjZ
c70tTApGfhlOX6M2J9nvLJ7sVtO0cP0U2m5RTsU+q1yTK7eF1/FcxC3SbsBtv/NciL6aUykxv1br
0STH3a6qK5rIxH0KU0wmWHyz8BhsuM1roJ+7psDUP6ltxp3yC1INMn018gfTnAr7HUwbuxxEpT6s
t+WfTUH/LiHmf6M2UjEQo2V7780a7OaG+wO5FeamQZ3VQqh62e0s5rhtdG3pKMJR2TjjqnIf6ByP
7FaiBSTH2SbAnhUq6sfdfzj/NwhNo2HT9I8AzaEMwtmQDCLbsSr7QTW891F5WUbEE+8D1ukILMET
AxKwd2J2kyOuNQYBtVJz/FB4ptYHlCkfQo5FU4ce3LjhcmV/7+q3AIYNzMhliB7KZdnUIwUwL6Sf
YomLSdj0YWcV/csbo89DGXIsGJK/FxhS8TwvxXpg0GUQ6yNNJ1XOQZTqqdbcTsz4z70WMGuj9/wx
DHPu9WhnsP6xA6m8PzvZ6bnN+v5RSC1tjxLAXdtkFuE9hbSVgSKqdz3CmrAwL6nvAYLF65AYviGr
vd4NhcTMWGScLalJVYEI+njybjc5cpMN/CbOfoXPfxaVzmnJkIp7TzgR25WqjgZaRvxisfy5bOqz
8V4uVxeECfOEFPqKFv9nBAybpZtuF5VaJjq8i6vdJfw3tO8yPCgHb1o8Gd/RJp5437VJ5msAahRo
fvZ65ggGZ5yCWQsnbJ9rrK9onGR8WPz+969uUfuNb67RhCwZHZvcu0c8SBeFFUEhVatB/yK38MOd
ME51y3K17+UoqXIFdf9TLosIYSrqy6J2XbWX0jBf9Eq4+MDveCBxyDXMAcyVE5+jOWDMgqLtK0d5
3tujBPT+yGGqrODVSXX1YU3uDEhhdPMcHU2rw/xRrsZF0q3nMoW18CmWJk9CK/3MsSo2aPLpNGNQ
veL5APmXJ5yr0LErClHJTMMxY9nZy4ZxvVJ7SetvydlXPkdKdSXSaz4srL06wQXB3Rzm7NbufhUa
pLMz7BoeJ41Fi2q314xj0u5jjAkq2qwcB2LdtlQ3GB4C64sTt+/XCPttTfvywKd4YVyz9hqhMpIl
cXvmWmjQuzR1TYD/cCouw+EJCR8y501VvLXSAMIA/F+ER5FyWV8t6TI+a8HisTfToAEwBvTvOlRf
yV/MoBP2HSV/FCmxrHI96YZjRzkneyQoBDlytJDpt0CUP+rpw42YWacaHwN00Yv3akwUQ7IQLrq/
CBq/ikapUvk8VZlPdtpo8f1RYJhMLgFS/idIR15BeBM0XDngSeK83XB85WFcQhoIZXSmjclj+ISz
bBqTLvFkA9nqOxDi2w0vAliRBIXElsfA9DHYyOZCZuOGmsC8/zmJCTnX2rTxsCQOxhvcAKU5qltF
kBLY4NFCLYEFi20sHyBLF7F+qNm7MxyllKPfTr5SUstUwPbfURjti0crm0UL4x5LP0hZjo4XwLFI
k0dd18d7zEwrIs9PJDOwI6u/S43xAUAK89a9HDqW8w870gOGxum8DAW3Lbim6JctmRFf6Y23W3dR
bh1yna7P308WlN0phRm5dotgXR1iezrKFFtawbygXaJO3SzIr3diVYJoWMhHnBPLvfZ4iVP6aygL
wqVpZRQfykExQSsFOxG/pRNvfIHC0uZudITzVmBXw/7szVJWMwfSm3VWbTm5o1kX5i4Pw5k+0RYH
O2MliPH5GplG/TPJB9dQeeP8qo3Fqy8RY7QmaWcPfjFUGh4yXJ3mwLccen+zx3qX+YwsIAcciS0A
+FtC6ZdhMsKLXI4fqvqlNWIwfkSQj8F9fcUdgE2q7nLP1+Nl/j4ps8WIqP1bNd5HCcffoaLqJ6fE
nDAJBBbPCTGZ8vJETddSJZF/N2H5VuB33pOocSFImTn2CYcVIESu7DHuHkpXGuExf0UEWSTSimsK
D7/TgsVLLbI8DGk7yiDyxQEWqx6WaFx4Xt9jQSv7S33sLtiPKeZf7Y0U6YRH0f47G2XT+11Sei71
qwqO/qJU42qk7JF8N52eJqTnKlkSnzvkrH2w2KOq3oBhmk1WkAr/RXU3FDPbwb60dAI8vvYZGImB
h8GFxvyL06ZDIAGMzI8Ix51yWHDLBjnNg2C4+najUy4wHSQgdQ4STsGi0f7PmrIMDpV5+NMV7xUC
DGVSaS5CHEF5mi2GhD30xDwOMIYZ8MCEUQR4XJvXEu8hLljOWM5+JBkjW25aZskSybJ8Hgxe6zdI
sjwo0tR9LEpk6CZnvVk6oWD1z2lnx4J6RhLwP5qNLrchAtcF0KxM4DXlRKEIeTKX52WbCq/sRyyK
I5TOE+ipXDRkGHnkZWhid3fLuAL+k4bioVuFFp7L0CE/SaBTyJb7QMvowjx1367eq8v/GA6wrmX4
+BLFlx7BdaREB7wntllBrr3BuKxm0EqQmt8sApC4gD4fFYh/qhPwAeTjtZJtRhAEs2S6DFwbFa7J
MJYy4+1jXl4FAVaSHXutYQw5L1mZ1wUKAwgQsME7wDTOk8Xjn5t15hfrEQWtAOOLJQKg/NxLSx2A
Pf9OBslLbrtH/HKHr4HeOY/gncqB2u14xI8edwTseOs0BXE/cKbJvYW8xPNBl4/aabmKjeWtkq6o
8qADz1Qo9MqcITBp7ciF4HeA0xLupnV/plGlJ3GoqUJ+F4OOHNSDlSiiyetA+mGV7W1T5lZ7BFEF
S7XsNzU1QJUyiOX20PAkROfjU3Bk2ROuCm73Pr3ev2ZIXfjpjg6HnO4rxZev+2/woxAT78E3kQOA
bM6cuzxOoT0AArbxwhVCx7vCX5uqY6vj7xcMsvD1CT49CH3BJBEnZRw3bdXhDtNZWaPXVZ0DHVUf
/Hv2y6qih4PnmZq9uyaL6urGYujYfuATmetolgp9UlJPZv8/FWeM79fOtxAzsEIqnsFq7d6QrN8S
/qS/nOoEDb8LvSfZ6WfdaqXxbT6kDkncKX1A3JEOVXHGgTj34RrqVNZCGrMU6igwGTbOVRAerlZf
BzoxnQpLzprt90gdXqPpQZGnfGlbGXy0qzlMww16yGZI77Ip+X9qUcPcxJ4+AXzAn6s/57lS1+Qz
NlMgwcGSWn4Pqj5yTKMZUp1eFVJQMTdr1ALdQ2Km8vSAx8Z3zgMfpOPuaJqtKKVVjgSQlWz/A7ka
wVJBrAl2G/hsUqdudNFFz4u8b4n5TEM00T+U5xdPuo+wPqvuCw5MhuscP24G93n3H6FyXQRJip06
T9b6sH7voHtbUXtbHu6esUEjZ5w8HaS2+CbiV43uBF85kI+QQMLSxrpQdVgRPfhG3o1TzCyGZBUb
LJ9kJAkDn+0M6iuAik0q2oZKWtYqnJYZT7KrPMfwiQzdnYMffSPQ68yhghzsbMkbaD1egOVO5dg2
Oyc2skNYPP3w4Ym8nhWOunQQ8NWVbR3Yfe5Vnocqz7c/2WdQel6Yhz9/KDi64cMBdAh0d374QSFW
zj/OBgbujWWMP3fwfYm/4BJvvbl5ci12Q22gXse/NXcjbxsklPcpSHJEfcaLwrNRYFr9ygR8A93H
X7L763POZI9lXpooAyUj+TUJIcB/K0SpuL4NonAEgTVZOtghaYdmpEE3GMtLYHvibhC6kLqk5u9t
hjRMyVGy3ii5W5tvGPOBLPnS8/0XT/q53S5W7+o4hH0peYM9h9PazQZH1CQawNl8pZqUeHWhjuw7
SFN965fN2JuxM93LdAgQOt7185MOpmV75OuX9QbQCqcIA70u8gCtwQChcBL1pBjBAV68BtNRCQ8Y
aSnmDnGRTDLDy/OPie8SdvEnVSyyldFB2jzwdUviyA+3KSvpao8sI8KP6lwr36gr0TPFtOxftjtf
yk5bXPNUc8ppGe8AsZ9r8roaNBoICUfaZ1klIwMY9ZpfhGtQdVncd9+hCkmCaA583wm4VvotN0Ce
i0lchPI/8Kh+odp9HMdcKHK27bv7zKE4vvNK8gNGfxbbjLyc9b5AcGa36z3JV3AXhHurlxZL8+Qa
XlPtHctd1rd5NdZuUQP5HG1QNC0jePlHqshPUMMppznITMOqqXACXVx2UElm+jqouYWTenTp+iGK
GwrOqukTdFwQkkvKXk3fyWzAGv0bmA+aMv0jZ3HVuopedXEMUduf3w4LlVOWo/9kE1Mo9kWglDeL
SFJmU0mswf6bdOYfyiX71fgZtBB8LbVxQJAJ3TDOmKVjPDeHWa4xq0igxMn4waTyxhFaVvnSnzi6
mcq3PGTLhk3DPy49fQtpAkRA4TMGKSV9bBDaoLZTnL+W+az7cgxa963ep/3k9/cBNkEtYc2bOdaO
eYlzNsQL3jAf7jDx+PQykRHXk2dMSxK9AbC7xsv1dvdx6Ut0jsUmDYFqj3nWZBeAn56KiMwyiXym
IuLhS1Zl5RnAmamCcWOT4LLt9CsYIU75QOdI/jEAMFZ6wDdicTQqnGWnOX/FH9BXb3s48QdcmqkQ
Fo1xS2vS5Z+2/2R2gnmOQP07qTqDMgXCIJrU4lspkpwkHPCxhOdmVXKHVeHoZuKl59eFAxEHrM1h
FT3FdmMrT33KyPB5abiktkZvRJq8DhgicUxdM6QdZajpFE0LlMLc9nhOS/cZccq+9UQs2Pfww8Th
3clpWxS+PH5tdbih2OwfQIrFH6DMupGGUPReh9L+4ivJwERmiyfSvZz1zHcVo1fRx0TiMgX0y5DJ
zWe5Ub53yeska9NgkVlDBYSqw4p1BpxhcSyQaFK0xs7nJ4fwbc/vo5uCZk1jf3rgTG6+Fxnia/vJ
PrhMh3cvuLpOSqX/HMbUk3Bt8fu1NRHpP5emyI7KXP0ESPNe5qsxCEAktubXEryLkGAmTOlEhqT/
LV4ZwHocKpTxi7rhfDjuRTR0MCd1I7klmgTi/JdGnXuki7mRa6tscimOLdM0j9/hFy9RazIhDM6j
BjnXh6DFVOhBVZovXOF2+l4fXdfoWdQEUwCGPqOiyo+RwcQXjkLwAbl0NVBrmIkYnD0hUF0KLkJJ
E4qfhY4CvbXE6p5NEhAva2kq2zbRtvruPOki+Wjxbya+l/hHhbKFA9eNsE0Bq3xIWvATevJ1aRTC
/Rs7uHFdtG8eArg7+RMKYxcys6GukykSw358Lg0nv6Av8cJ1PdBuZ2a6XLKkz+4HtTOfd8P7WZiG
3ldBwP9MnRliThaWVY/nnhtDmOI8Bc1fmJP23NSKQ2n1wXo6TPVqu47iZs67otrobQoGMBxJFDMt
rtOvDvwbdw0DFljxqXzERZMBhS0AweCnRroG2QHBVwp2aZF8eDeCK7KHSBLYaycT7BcIGC4GwYtc
dMrWR/ABF4wEkK3p/XgHig4yNg4or25I8jP7uVI9DvtVP5n7oHmVr7pMpDg1MYRO6xja2lx0Cm0L
/x+3LPCHKoLnWi0tjCzH4Uv2fmLhGjzqwrR7Gv789uNDKuMwh6L5Wg4OzV3hqn7D2nqDqyNKsCE6
Hkxb8SJfWrsk1bZeIwlFF/qIKMsO4xAGxcrlR6MnXIWXn/98xp1E9FaeUEGTZFRB+M4D/129gnIp
VSnEXSxTcQd6k6+7BUGtPtu8uc3U80/dUs9pToFNBdlO47J1xoaCqJXQSLRgSTNW7E4QMU2+xqIQ
/t9MzoP6paMhYr0mD+YZKmyjcZiMxM8zaVdlI0DEdPJ1jtarFWkfApqhZat7kAg7+OYqdjFDEq/Q
k3x9I9qEkVa3QuswnootT3D9BRJaIq8aqCDq6227HYdjl7mRYvDOtggheEBM7NJrYHRhS7Eema4A
QlrAzf8gfiCAxyFJa2C3TPwl/yYa48pT9AbR4zWCFxMulfU32ihA2XeSzO5Pc23WqkY3SY2KRdYl
PE8EaMRaWVK49aDp64g2NBUqVxLj6gwHJzOwLKck0I2LaJyeedkdv/jt3OV4AUsZcLMv7+FckoDT
SGDSW9okZDXvGLDkJRMApj4drT9ytnq8VkSFBMDB1Qo6LdxklzSyCXvaJy3bwyLikSPcHlPPfzD6
nMSvaaTlzXRh/NJYFHrn0/yj/h1uucmTJRDsbxGjmkdg7EAf/eW3QUWfdoipH08kF9wIsI3kgMw4
mX1aVASAXmxd5W9Au8RtsWHDf3pf6CsFMXZ6hlk5kodY8+CvSdVZuJdu7/FZRw3wc2X/OEHCxvcV
UfZwAr3SS5+JHCA2Hd0XAa+l0AbPFf5AgR9XyVF/Fgf/AAHRodjyOHDQKgG/aRiHpPCudna1RdWa
zEepzM3jWekp4Qxm7BPH2YC9XfXsROLCZnhmwdvVeHJmOlKbM2ai7Muyk6H04CLer19KJBbL+K3l
m1axkLfyc/Lc8HhVQ2h886Od5PJDXh0aginsvWz9UqkEs0arqwVaYow51ZqgL3wlWkmc/dx7LnID
yA3gnfDj6/RmfXJD2N87qexJe80FYoRCU6k5SDlIWnnOxldhLz2TutXSWnOZrWb/CkG9ciTrlC7e
uiUD/jn2k/a6eofbymPXkCOf7a2HI9nlziKCX6/kZSHKut6VjqqbldDaapKkBpp0seC3b9sq5LGd
URblFv8DshmRPyALTvJ4lEqRnglVg8QK35urgsxikYAyHZo6BJ+Csu8sVEIobYKinbGnPda/Gaya
fI2/zEPRKdXltTgAbNATJi6NRsbVS74I+U47bpZftGLWIfscaqdR3+8v7qycphVFpFQHLH7NCne7
5OhY28Yt38eZ9tZAwOFo2VFOQvktyTRZdMAS6ttWrZ/SC4jCYCLJmsBw9+JSSxP/G4m0JrXLExMz
6xM6GrV3Y+jN8O7uYkeGCYoLXTGoye8OuwCq9VVHcKt2j0eQvM+Ok4M7PEef6eaUGSacNLWHg4Pz
f05mpIdPhJ7Ujoj3WcGLcLB2TXxf7TCHIM1zzecDhUy29Uy1m9cti0rfJadwqXL0BoeToGITaBur
ptXwvtELcLvytRTU1FSTYm04P9YiWRAOA0iVvfqjXnh8tDh5BkY2bRDUFeOpEhFKdcB0pY39GGkJ
p4KI9ftayAEm27P0uk8tk0GZpePdWnGty+Gls4SgDwoe45VLJBPmerBv8qUuSCtLbh3d0FYllB0m
9ZJSNnOxVve1qQcepp/QTsAHEe0afBQX87u9Km76SkfmBHd+sgdX1/JFjNY1i1eagiKsihxgnzfV
SDJGUroWpRIkiBkUmrnVxIQKbKIrMV/rCPEz+Wc2FFINTKdfEed62TLtlOTsG3LqN7nls2UC5Cn5
XTuSuDRkMZLSuIjp89p272EyVQVDvb5PVinJWYdqCP9z8xSxBBnUbEKVZmLKK6ct73w1ZO5hK/GP
IStfKas7D31xRRL6dk3bzvW2zHWK/3e43gFfIWvUWAodTRmSh8348B6asFUlCjHJLm5bIc8zpQWj
3uafalnrY0N4pQEkDyXkAWnthucSw5XXwfp/V+4sHJOzGRRvHTXXIHHWXx2ydYAk/yE6BtHI3jrB
0vZpe4J/EXwW2j4JJvpADgtfv8d/4ZbMgQVsa+Qhi/DIfjRn2R6ukM8D+unqxDmP944/mL1FhoLs
7RUALJZo9OfiGbt4TBkWPZZGngLLeecF6dsgqpAwzrTPudVqCpGOrxrm6IroEkK4eNtKew0MWGD4
EJd8C3KmwoZYgLnvNzZruWdxN6ENub11M5YzlAgYqQ/lzXC8Su+R8HbUN0pSISErCi3x2r9LVSF4
b8EcS1F1oUUCH0pNUSPdKOae/q4KYCPqujTK0j3wM+6BFT4cqrxJcYrkoe6zl1Hc3QgBpel/out7
2mpiEp7x6/eBmj2VtBWOIF0zAm8v0RGzfaO0B1QtKySvLLj8kEsZJwaRcLw0Jw+80bvvd1zfeAHJ
k38PHyTjM9a8qjixuAQqakErfrwQLyCXBO/BQei1p/xvLdvgXCBoWA78X8ADgpzEhp7GAihRIO5E
+76oWNviRBGsZhapLhGjSlIfxdNzuwp9xBRT51AplHFO53CCk9UVp9vz9asYueSY+Dhk3KNnpD6+
1t0kCqjUoF8x+NKEPOteMVWTh5dQHhtDTHmOUOuI+r7/IuOywYbYex/CNs0FHYSif2JUH52ZRRyG
SMZSULoIsbCegQkGleSV5tfihGU/euy9RvAvzWZADJoCOSS819dQrhAjLhzvTPtDcvcephjA/VnL
b7dT5qZlKfti3pGVzGnm2KnQXyB65tr76c7ZPivTgKyrtRRJR7oGxUW4DN9bcdWZel01WrfyY+3z
8074dzwR/H5ZdG+041GMo6wz2KBxMdi5MM5ORhqRW/G8fUabI/q3L/RqmWAQi4m/Y77AkEPgk0I4
EI9EGK1kAyqjjmFPfU/u2MJjfxTkhgvmqjHnNfdGluGcdMP9+WNcqoWlkT/XLnL2aSZTTmhUYRzf
56f6eC2vGsx3hLVb+RDmmitmmyqWF6UmcyzEblsfne7DeK+KZhcJTTNM8n8poPXw8S0NrPz9Jex2
M9a6J5EzWWro3gkDJpfeomyZEY2RkmWGxhKHhUwlL6/bv3juki00nK5wOa+JLlud/HK2L6sl2hQ2
PbUNL8cmw5iI86LAt3YB9tJCjwUwfTecoOMs+uoz9LYRUstblzb+llu6XQIVi8V7Ad1MTpoMqVkf
7Us9wJGRF/4ymoVug1ng78zGCybUE/D19O83jeXxT8jQnWoIFHQc/WkRn7pTSObdug1/7SONg/d+
VSfF0hRfQzG8OyxWzqlI0MdubNTyNEa8BPhkZnVEjt68byFkiRr0lmUmh50dMUxODnX6qpPKB03+
xjE3aycZLHvj1TfKTAYCMQEpDgI7gIk8JHDSlmjI2TC29geK4P6cL6mo+Zf2oHmQI+Iyhc335wdU
WDmLcw9dgq/Vo8szD6C/4kLY2pjK8y2fKxxIvvNmdTnBbfJUBWABQ9WPQBFpVcMRsGVFCLAAv5pw
wA1kPFb4gD1zGvb0EU/5JxXeRS0Pcy7S2c+EqYxc9K3cwY1qxyDDSbqsgNuOLq2boeQiKGKXBgC/
BTmo6TCcthxxU7QC8U7vuwKgbyOnubSieFCgd2OZazZz5mjTlZBuM6KPXCoNYOyXVLmtyOKOQyzc
tOwaGRk/BrN35tH1iQhkSYtZgzZ0hVhO5Q/ANWsqry/5KpsWyOJO/AG5HAi+rM58++VpSkmoiMA0
he8bnXioGetlL/mRkhd9jMdOX3GB59aOmVvAENfzewp7Uovd1xOg23dhpLAnukTvCbxw67Tu4Ojf
uB/jMotjbABT9J6MGsCiwOZyhUg2CXlYvMzkhKHeHUWN1aQ5T7ijUdeiShuM1dwAs+xW/QbK/cz2
0+ZQa6oXkYklVwBw/RWtdHv+PB4LeDql4mOxvrZEo3o0N23x2R7ncWGOmn+MHq2xoL2MY531VIDg
sSLcdlzLuIlvkz1f3dSfLWVRXAMKPeSR++DU+FdDpdXg4Rw+dxO6Qg1g8OiX1x5Iz+AdLV4gDScz
9Xv+91gavwtnTT+jLIIx8yONGgVNoquE7yaetC/8K+1lTzqGURNXp3TXD0wnbfnLTJJsSauci0LE
Hio2Mx8J3znpfzIDJ5TbCqU1N4WgpEPqDp4L+lh1BXUHbW58DUo5ZM/90ILxIt0dEEl0Irkdi8Oc
GAF0pcqPS/82yx9Or4O71TkKwxyWwk4ijZvSY6N8UJ4vBxPeUVvPHJ+VivRifIGhfdQqldHnsAaq
FFWytHc5caYr28njYQmltt+L455uWAHS0Q1WFm+Vs4pMS0CL7dElCHLHsCIjpN5+Lj1E7Sk5971Q
gq8QmewpGTVOYFFrB0E5uAfNvap61GaNwm1paiAyiSdeUnErJPC1YSNu+0A/2KhifZMkc6F/CO84
B5cbIjU7myTxHw1U0/VeXJ1VrQP3XACrwzn6zGiCheqDx8rTE4DUy8LUci2OijXUMk/6sT2OKcgR
5MQ8bWJANUT9Y15o+sJf2WyKMM7YASwPilNfCkuTezoh5GhECIATj+mXuwxCF/LvyHgGLe1WnE+P
7rf1mh+GFLfSHcYbhBbMA4c7+2alP/9ymQ1gBXp1EjBtD2k4TbenbWItP90Xa6bWSEMUFmTdvlO0
elWD53m96PtR3ndK872DZY0qhOskzqmd5LWm0FG59SQM04i7bV+xIXOFUwGScWyrkXdhzBYxy6Zt
Oxji5nNnkkgkEkdaERLa1GOK1kBPz1C9cL9DHcmfwJihyF4VqQRNdh2MrIokDtsd1gZu2/LTJLbl
7sgRkgPPEbWMEsgEVWaW/syrwcW+pTLJ1Dgjs6JECC7cuspVWfpG3h/21dP29HCV5wugU9/7IDSQ
SCitL2ZbvSoc6TNaduGxEc753hDVUC9teCVhkyc/qCM4TDTOvvEaT9B9Ri7m08Vm745HMaiOTUMB
HoI7LTYeHXu35n1Taao0e3AHZwo4tmqDeQd5wNlB0jYn5zbUFvCgB2o7k2FRoLfeeerm5UB1c+7n
GY8LpWEidoaZHAzcpZPdAMMLk26QzyBxJB0L0stwqIDkftnkHxFEEPbNZhcEk3W6YjqIxQcCaRmE
QPGqcDD38nI5Boq/K9TxVXc4alrhUUvi6Rq69nNlsr82WBNid52lLHSY+gc7C0ryCH1BSoe4ly+w
TwOeQWEUqHJ6UgLH6mFxEWxJCNwL/1HZ0iur4v2lxxmhYYhjKyQADemf0+KGMXX8NvuJsCoVNFZa
8eLAl2y6QO0+vYRKgVV9zLEJY5zvmi+YPFm29UGqLj+Pj6fjHL7Q9ZLYEBWRqV3ZdrI7fm1CpP7t
ivJ+HNb7UONCKJ/kmUn6pW0F9adiZFA8TUGiTyByQWsU02/eY2s91TYEtFODbjhB+B8Bg++Z9iUj
PFLeKo8XXsccGa0Bac8xmiLhEKggHDCm8Fa+Rdl3JAPt0DSnN0dCJLvooYZ4JyIHDvAFt4L/SrRu
W9RNKgnSbUehtbHLflf0NtB2Z2QFFSnBx2qeYFkIj205gGLjZrRgAMpHERUdvJD4fwlH4efNCCAL
o9ivuNkm/0j8qcWguy0la8RGmLuoYCLQ0/cwiKSla8IRWskcQhxHkqMTs3Pf8BpxfHrc53oOzv7H
XoyY5xlaY20l9XgI95LyyOo5cpiPIBnUMVZjoejFW+u2aXw56sX2UFAbEwW1xczmlcPFS9rzBYqs
IUgnLbRO6Ln7w9BN9wh6DIwCDVRaUjH0rYzwMeemdsppWqJJnrslJHr4aRt3cgL8A7D0J15JA3LK
N/lB85WVZV9c4vqSiqAkCrQaKsU2s9nOZ7z3QWojILc5LUpXhy0ajQOai0nnyBFPl420+o4BlI/d
K6Z2QNey+k+uIO90cD7wtZ0oyURdsKbVfX2G3261H9os0NyGUEFzCo+HVfyCoRhcSlFSY9gwNRCk
PjwRKQpEL8tJxy2lbHhMQiBAAQqaJi8BezYGB1xHvdz4X/M7cE7Wg+UrDsHWvDCq79cr0HhvYABj
fI/eqmS5OdSLnGq+Suf6fEPxXb6zwlN/tQUAaGxNBTD+lPkkD7B0Ppf+IzI6mooJRdvYZhqodx6K
PEKxjzF1i61Jrb8TulhR8xS6EpY9UBUYG99f9Xot55BmjO2ZQrreivHcPUAUjYM9/3xz0FMiw7TO
MXZzWfX96g6Hl00/LSLjIBfwC6aJw7D+63LpMKVICk0PC5f1aRJtoreBaDZub7AQk+2KyJkoXsG4
Gh5zsvcDtKSGE9MRDrDALQIMRu8GjYUrWK/rsgYGWBk1jLCVsFJh/z62YWAbZIGLhfQ94aYam0BF
bzO0RGxSzkmLiifdJfaqesoZd83nF7vV941dnZQ/+6z55A2p7t71P53263In88MTfVHss/QyYnFn
XDJNeAeGqnG8mLIZMtilHeevqwlevlD+1aVgqiWpH1kf9cGVYDwoA2uQzBS46lJK2ZHFsirmHBjZ
mhDKUC/pz4u9U3kXD8wSw8P3Sz16/AzBay3OmF+nDpMVIIQ3Q6p28O1Yzel7v2xjvDZiUKAOgO0Q
yXLg7NM7AWqPo1NjlFHvjSOndEsqtgHN68YSpFaWm825krp8B5lHkpdRgBpf19ZuBHnbmqr1qfNx
AN2faFmIiA0sSR6hGgK6vm5tRnaT4rihsQfzeqXCcV5H9I9VucZFkrokWnMqmi2vBF9KtQQFkpZY
ZbVHOQVTKg5iLGqGxoYAFROcFxS6q1zPVlRdXrANf/EtmehycJhYSVwzWhj5DD+s9XR7L7QaFuQe
oqnyi5lFYMNKwnGisVynwOyh/0kBAgBfAdvTx4fO0isGtDbmAlKvUiUOAO4YV7DHnmXXM3iraNIt
VKiH1IjaoTofn0M3q8AceWJq44lR/IjstyI3LsMjOxNfckAT1u4qppkPphRGnvr9aJgiHibIONMT
EKNFful9OjjRRVLB/xG+M49GsDCjCzbSDS67EwbhEtifbQvMAsIQAKgrRnePOaPDqbSAW6wvSyRf
gyIo/IHWYzNefe+p0tNxjR+x6aS3LQL4nhx4Byq7NaSYErRtYa0WXCCFH65gseXLfB9I7YV8zBLs
wOz5FAz12/oO02MGGd1UIK/oTkRanFuaolfkS0VeAi32SoBwi1m8dhZrYcg24NcxRLlfcTUHzE3W
nYRWs+Ss78z2jmYdF2H39CNTvBS6yi6A0B4aenIBpq6hM2mV9eKQSiC13O7VrrkTvPzEAP9hgFE4
OTPfa0e7+96828nYYWCOJX/Ogm/iKfW062l5g7RrwpjR0znv/rzUUkZyLfhhhtFqJzYSuoleTL7f
3cN3zyVFT8Pr6ZYjDlrXi1SadKBUFBxzUY1gkLMe0j81Hpx1NdGr9U/egbQ/GfDQ/gAHVl5s9CQ3
LvVVGNoxz1WViUeNFN3+ihVr2sjdGTS4QLwBKUp1kzzy22I8yV5yAC2qQZ+a6yX3ZSSUKWbgI6S1
zCCezHZ8/Bt/csMf03qRVOA8yyuqr+JUxxoo1s2PkiKZbz98L6GtgGlYOcFi2LsgYR9NW2rPH/CA
KwuyFSDX3jOJ6f3DTqC2Fkx+78OeGxOLZGHv0QTltXzChxJ/rcyTSU40O1e+WKrHFeua6D0n72nf
s0SBArO4D7b/LcaeLeOZ4dbMqRILGJ5am77QMF85veL8WWSHCMaMuEivTPNkJPjww/HJ+jyDnfz6
wyR6XpbWlvNzbCnewLLouSfB3MEvmSoz6BTtJ+zktYynCwl8CfWZq7RSNnLlIhUkOrhCgMXaVqQS
DUO72ZSm/zK5t6bpqHTif0NrNiEs74LiVBJkGOZHF8AC/TzThY9wAr7oRRcCkBh+kSs3voPG37pn
EwHyNO5x9+7amaA5q4X5Es2cb4b7hJ1cXGxxTyYEEdthIp4iUayU7YzAo7Y+vRscqeS4txBu7+Wb
ISDgEEtcpKcSsuoe/t6iJaesNRBH9UpqwJu7m+LQKghvoUwjaCW2T3UtYuf73pJF2DQzJcrCKnm/
pZf4zbZpTpjp97t7ejyZbAcD9qim5K9g8q1q0ADON+GAVS/imiUpm6xl7u/IPoZncZvYSOcVoTto
UsfMkS7kSdZSLyBcacpDE9ijbGhk0k/2kssdKHg0EUiMWqckLGC0gZzG+UKI780zc2Z/25k2h7JB
Z/g3CXB8XNKgibRcc62IkZKowGEU3+Q1vQsQEp4jS6THIuTqCY4lgRkCtaRd9hqfI54GUlCK7noa
E32Ccokl+dlOYJuHeWGq8hVvXDyO1XQ2hrJtj/Wjsc68nbZxbK7rEVfLXgsVSro7tBt9azyhbTdv
2KsC9Bz9LE9YCiTpN2PqfxIg/fXJR0o+VuixT/TZoreFV+ZuUNW5+t4ltEfxA7fBkA45bc8Fdupm
w+VXi7FQMJalN9FLRAcYUAyJOCxFm9GhbFQrMUJyaVVLov6CLdi8uxKwMp0imx0AE4UoEBfeZOAB
68KQ1pdDeP82mrIroICwwY1abUWiP21Gl63QClK7gtQVUMEs6WdQZtcU0iNwB5cd61QYaGBtalcZ
zuv/GUiDpG9NtmpkUClbVoTE24Gwii8Z4fF09iXJQB1QJ8FKuvBlZJocCKdC0ieSyZuJyvmsmP8f
uS+1fdzydxVCHv3HGwoF6mt9DljKng6uwaZNNjyjpM5RRga5ZxRGkIFBH8SqYCZxNYkGlgTvluO0
Pg1yEYZbLqOpIS7sbjOY/qj8pB+l2A08CtR4Ln2czKaJXce3AyqhBP8yx7F0JBJC12T4dNbOdshc
LPw1m9m5qD3FhpXGQJDVsft7X3ZWE6Wnda2KdxBl0/5RZkNFiZy/Q3zhfVkJ4PfhXuNMtDebtZdV
pBuetmZk9zuM1xlelBNw9JFq8q0bxHf8ZauBK2nfqwHmsj5TM56tcJHbdzjDqPpeMCbKtvpNpTtr
x0mWfL1YW2enaC1O5QQtZnKvEqtEhzm2EZXX4GUwUu//UbC0FRcCiDA1QnSHrdSbQk2CCOlUM70l
zTzGEWZWDwlxkMA7HdJsuh0fOnlFfZe2lNApsCdUUeaAhjHzp/7dbp2GqP0pEFCVJ1sg0RvyxREn
tbHjDASFTYbPrXesTDc3wbiGNy7Pg5vLFqMoE4xGqk30kjwUK9pZmpfOUC4UFxBX9LJem2U8Glv4
GEvwHavjjG29Rue1xS3ZuxX5sRQ5YUUq3okwMnljKAIPPzADUmMoxFNZcHHu7hd2K5fcAn3DSpd/
yUGff9a8LzlLZQAplQR4CObj6vhUOXvgJGO6cIZZ92CWa1LthaWuJXQLt6iC1yTohKAzyRAiN7IA
Q3R1IMX0U3P69oFiEySkrBh46ArE5JsJvzl4jHay2oTQvniWoo4jtzxY/ywFNZ7+oBU0UAbbwDPg
kx8+gai6JYER75UNguL2WLHSbRmaNrNDS8PKoi0vZWF3W511n1Xsln7DxygA8cAgHPiRBZVovUEF
ACBYGGMqPI1bzyvOzzVtwWby1T219CRWCRSyQbkwQk7jlkwADv0gBdsvKCvjvB3A6mQL93AYinCp
3LT+1YnDwLukG8WNXz7o4dvsZ1gZYkHoWkOI9UfFaJ163kqzfI3KD+DGKYzEiijQ4euViV5flOEL
JVIyZi+JsGxYolH68zyqIHaxHgHTpOh8eJSxDr6G79u0Zn9v3vcD/DDH2G514wbZ7om8zJ252/PP
rSoj79t2qyb/APn3yR8gL1xs9f7ImIwpgePQnPNOtKZbIIpj4kk5h8H3LgV3RafK7StpXtITUC3r
77jvDHiq8ovLS0BVAnIYS0+tHGt/c5a4glIs9U370WVf+dMHhaiWtne67ZoVO3k50Ai0ebvdvILK
1cmyIFwYnrtN4Idimt9MMQk7OIRU7EwV1cavq4ydIMFd/tW55F+oBXx4iLsH0WmoNuY/HEXh70fU
29gt7dNrLne81ECTb13nafwG14lYU0+YiRPuotz3n2gR7OECBfA1Q0s2CDytpSlF6B5mgZ/D8ljb
3QIIMx/UV6uUF05Sel9FfFarhZxWZYDSJtbgq93pOUphbjmZLiVufW6MebA1ozNTJw1SIPCZCDf2
9y2rKoVP9KEwyiwiHeZf5abioTtqUSfxDOY171cOK8OCvlid1zU6+9lYkEG9/xvsKrZe/UgxpY1O
5ypGcBe2Dl4SO78QsFT3IENUO/75UaxDvr/obBgorROGNUHylVtaHjngYt5kLhyys1SK+IplvgtZ
UGLJZLSjx52DGIncxnh2idaQP+mqCHnPjBueVretimfUdUZwKLtFqplsyyzc/Fsb1LQ8t2BhPKxP
AGdx8ztpL7cj9ZUactZN9Lr3nVTmYpnwl57RxmNEEggt9oYntLmAVp+LX5GUeeA9g/dUpmYCD7Jr
DI0elrH0tmwqA9R/lVIKZH5V+qTJdN03siBhQZTHT4KfnayMiY3q+KDo7tY2Sn2XLPOmYy4Q3Ses
NoB15D9rCidOz2GkbX+f3aZZJjEQmHehFst7yibL74MZ8yTlcZ2n7rDDGtcmT1jySNf7nYeB0Uwa
Z9Kknzfvjb3fmcrZpRAvcPshFfC2Ub4CJ1Ez2klrp9rDsALT2JeuAfOMOnuQBUai0sWwSTXtOZBR
sVKzIIDegWT6klF4+QCR8QP/SUoI0vWPhm+mglfNmcfkWFBglZRQcwsy3sty9HL41+MUtBnjsTXU
1H19u4zuh0+IOpUs9Sdn0fP2A2CHoWQiRkDRFpPTCWOma/SuNyfWqqjhbKZRsUHrBCo39I84dn2F
t6qsU6zob94dLxhN1MFWoQKiCAf97jnMwbYI7EoDdw0sJYn8HweJe0Jbyr+z/VKCb8hh7jFQ/tWb
TlB1NjLRb3z4nqF7hYZNlLNu5S0/0Qofqnlp4cKtgVCYM2K0TqjSrRuZFmu6BuvjEPUeStaWOHuJ
YzS32b8WiP0EMU5VfzEwTJ2KGF3Vgy3ecc+hW1rRtYLdI2qV0Tevt9ICmqINMrOYnUGbSBv2nmZT
Sa7meUFBYdgSsgfhh433hIpZPvatvnRhD69HT8C7XyW3f9fbmCT2S51ETl+mPk+oAfkNdSWGZMe9
JKhIAtLUByBGOLdl9NEdnFy2CJwymDK8msR9w+VBQGQh2RpXnNGAHroxITNdHV4iiYNM8D6nuElQ
m1L/b46EZPb0H2zDrEAy0c06/ZiAZlqEGBSDxYeK8bYgfxoByFxDwGc5ZbbwE96QchcmpDt1i1Fd
p4pmEsq2szW/33VQsSpEo2ge26/n0iL1AMa6Pk6gERhUVRfhd6D8d9C+d3oL50Blt+TgMuc47i8k
OQ9nCVEKZ5MUrgqd+IvrNojd6zCLTQnh54TqrvbbU5lqcB2622HWqpxE1MiLpvMr70r2Q/OJETpe
VUDsR3lahuawjvLHJh7MLpG4A5JdbNzjCCCvK9lTSzlGvtp0RQvzLeH96+cmBW0KadUhWvWI8V4b
LMcEiEOrwwJACtNGO73CDDcM2/tkWq7H5z1chbtukUxil6UuZJybxxygsH9fYGalGXtkFxQlHpTf
s/TlEwDZI/b1PsxdyYQQ9MFyt0+1DvpNxbs59bKOO0S+osuFJ9dLF/OTvhb8SQCRnIG6q/0v6Tc7
+rH2Y3/1tVhF7Y5WyK1l44zVyKrZF6Hfc5Khl1YjWtY0v+rzWQ8d2DKnix7VDDKb0ECmJg8re/c3
G9qRICHoo2pdYNDYuzBSX/bRakWigY07jl5De5kU2T22rKGrOVl2qhN6zkVZiZjCc9DEeUOkkMo8
bU5siQgRn4+4Ti4wLZKpnURoZgkcbj969xoAkXOlfn0wtu7qXN4PnhsoZ4fJTT+oevHw9STFpHwS
uYEP4EE27uHQ7s7VvgxIwPAqybZNBa1DTOGcf238x1wZ6jNjuNqrgEUum+d+5gK8G9vhVFVBZ145
tFGhU42Tuc+XaaPb9Os3j2z6+63AsAYGQ3bn/b2UZ3EbV8tjQ0/uQjsMuLgurLAknQuPgQiC2znz
sfMSkUBMsfatXTpoV6cPYN4Bgqy4WLml2bootgb0l6xoG4Syoxb2m0KGi+RDDiBU8rL/e6AySxUr
tQfqyRNYraWBGX3uafh5pgSN+IOU7A99Vvj5UTWCG2BpWDemxsrplYEegvTEqHsDIT7rRge3a6xL
oMWTDSzkgK/2F7QStgDA4UDbousxipHoBw+ju/QmTNVmkaNuBl3aTP3M7j7hokL6YhbubS4ZpIPR
yWLKNuZQDuc6WxnPIFK31MQ0Vy5dW7d9diLcLH9DkRQUhFGiSNrl2POvFn/8GIujPUmEZqwPX59M
VdUBisdd8x2xmrl4jiHWB4FvzNHsO7GN5+3vo7dm4zwxgS2D3HZfcw7tiDO/a4LWx2ZTmWX9bbPN
GTqQW76pQmbd+KKTQ6ai8LjjtLdLkmuVCkGqTQhlkq7NhUDu2nJAXafebGjfhkPgEfjIgJ0Pf9ZC
a0bbX0HmS1aXm8au4/yTy+OZRNO9iKmE2hIP1NOKYxfL+2+0sWwvrsnseMKKUFa2gz/39FhccP9N
Pj6aCEfy6aosycVKMp1FsWnOb7HxKlZ1wgEzm2Ub8P5XFz+yR5K+Xs9SF80wcjws9xy9fZ5zheX7
J4M0IQtqs3LRTXfc0nWUYklpqEchkQebuhWIxDBrI6WOQwSXUFtWfzPHZTYUql4boPMikf0VSIQ0
gEQ9S/s1+TmW6YRlMaoHT6sWCOqNtYd1wK00R65W89PYV5olibQmPKMZ6I1dhVS2xvG4+m/w42Yt
3rufM4hlBMN/Xty7SFe0MUvn6gBAlldk4L/Yw8tF5F34oxt6FiLpON2M68xhhceijyJIehfjVdUs
xTqc2xOqiWCUoG0O/oGVFLe+DSYg/1kXA6ass4+Mb5dumTHkH+g9CbGVTmmTWV0/V7dtBbRDQvav
+muuM6ZTECx8488yIl1n7KzNWi5wyRYYbufWw5K0PgK8E+mfYi6cX+jE5dKUOIHLw6zGT9VTTBuk
bwz4dqgaSDLk2ompWXpQUU9xiZ/5ldgdPVD1TUBiiwa3qCv+1F90QpGGV8pPw4Sw7KWfeH47xr4X
HQI7GXDxpPGOGv9Fto6Tykp+SletYLWl56Yryh4sU2AFSq+KBegInnNu+snI8WnqCxmNLlZGDX/x
rayENt6P9Ji89+V3Wml2X9t7BOkBf+Tadd2oXZKYu99osw6xTf8EgHj5Ee99auhq9M7YaMS3GVD5
wO6jYXbXkFqHmdHFdHiNo4kFTF5aGA2uVdFWNNOUm4tl9Y+pnHonYJTzp8JqbOFxdX1XK4SHfNJH
7UglqnvU01Auqmo8raxrUoqU/XRVDHeiVc5tEjeiKvHVG6YhaqjvC2K1QTCPjUZroAxmOBP/M1v1
cSquP7ObBO8VOSTguForq9jVlUXlIJWc3BtDn7F6sp50i+YD+hbpkfs4sK2J6uN2kFV9lu5WFcpp
CYdRfC8ZwgKT7wgYbj4kuhxUREN/WPZIfWKtnDK5Vi4yoifIIyQrcmLveUtS/ABSGgEOSEsvMf0g
SM4SKaDHAJUWzRc8DSMmamw9OMMFm3w29aH2CwwGQl32S8MtwYbpVkyI540A+QqY8K6V5916Of7N
3Gd1aNyMytw41zXV2qUt0WUG4rNbigErqmsrAGFkcifKncoOf6muECPrJNR6QIv5FbGyj7TQO8p/
V5sIKIJsz0qqCcj/M0XjoD6S36ukx4BzfGX+vR8hFLp/05P1m580gigXR/bnhqMauBck5qvj4DM6
ACrkaKwqr7TI9yXLmtyFbN+Jzuynke1DD/xhbWZeXW5NIpBrOxjxIZ7KK9klIBWoY+RhtSx1HvQ7
7xuCINRNpcAJJh15Zmb30eLNe+b5VEEeT6a9MTJuT71SfP0/MuA+atGDd1kKKSp0Nl8KfF9uFeox
LVnrN/fUQxoq+QOLxmNF0NOs83KNiEc84GfJuVqQPsXtJuOpyWK3XWVYz2awRFZ02tQf8YbfWJx2
SF7chjWCqvgVMgE30qb/MgtG9KFK+uwDaiU+M1bFYWoFQ2kAwAA++1JhimmjJgpYvU6iBgIpGsy9
mgaBbmyW6sKV23wIcP9RA8b+wytA+Ac2bBlRIuJ2SudNRAjI1xDA/K0mDhaUeKlkuBVNhGC5LnMn
ICL7yx6bW5oNo/1cO0MgVfuFgpj0KzDzgfyfzR1TKoBOk5rMnQ0mQU2JyDGSCXyb1WuJJ70v8o4M
CuGjLzelzo9e7mgOry2+ttAeRbJKINSLr5rIr0//UdgCGiou6Ttek6C0xNzO5GClz9bJ3lHqfPUv
ewKOxnII+TsbMwcFbs+in6+N+KAgtpVAVSyM4y7J6np3UcGf+arQCQkeXXPqjpKO062HckdCUeUH
ADk9FhpyVIuQpxRoMlu+pub7vgc1f+njvdc+mw/lw4ZLHziOs4kSP/Gs9Hgn0GpxU+KJorGZL6iD
/ys7XUCiQc1P6z/yXM+JWeFL9Oz5KXGWcdVvKxp4UJzG69VwBCjqTt5ovt8jOFVTNGRBiJUV9dxA
Q2ncMkgbD4Ew4oI52Qy4xJoGTBHZYTCa0A6hPQWWgIY8lU9Kls9fGpT1lFm/TKe5Vor9zrXIvDrB
vaz2A2iUVJhl9epJj0djxV/tT2u++rdCBp2Uz0HTO9hVsUlAAtwourMFMXoEhifc/zF7d1/8F4Th
Aodwn8cRElgRLS+eFOMo7AFuth96YxTXngexcbUdsHbWAc0se98vFN7Y57XwHfK4Ly9Xn6aEQ1qO
3x+wuJu+xCJR/d8Q7/JKg3kwkJnT6cQPrGxPlJ2NHX+H+5Gt9W0jbLfMtD2E+4f86IN2nElrIsCw
FrkgD80qsNf99OU2jHIrFa68JeaD+aohyjfDpnA077eEcm2pB07wKAi3+H1CgFEt3MPV6frOb/4E
V2N3p+9XWNruNSg22psQgt7LUP3tiBbrNuBBIDHqjRB9d22ZSBbsgcuZigmW8CPrwPFrh1arWLD1
U03vNhXaOU/jrDF4bxZoJ/BqtvPDCvLxJJsslX6La08on+mWfxcKHnAIMCALlJmBBaRzJJvi9gLQ
wtxpLx+L6uUvtthjn5Ajkt3f0UDKLc/1bbYJaAzh/gl6Nr75PrCqVVdsex92HLn+/ucyCT7VXkC+
tRxVz4dka0DE7LfvNVr2Ji587z+3dBGdQmMoS6cNKb2Dix9q13rsumnrwXhQuAGJyeEpjO2tkU+T
8Gm7I18QiIO3zoTSGnltLLtDLLZpg9/qOJrWu29At8hJJGbjLn83i20Wi0zJLBWglYsuwH6c6i3g
IoNRKSfVwIBealidZxVTMXepu5UOI8uuq0NIF15jLizs9YKOpzH3t5d/pbAfkdjJrD8LrLVkMU0A
q3Kdz8qacT67xjiqI9TVrretWRlBrkSsIC6RsbzU7f8Mfg6r7/Motm3+msByckjwS29cz4rEhRY2
mxiZ4Dy9gX9eJg8/7jIKMerFjk/UbGU6+yEXzu1eboI/dzNn5201pIdcybnR0kI9bxo7ZJ8AIKp1
aPHIgz079Ye0UHzRfBoN/1VMc2CmMF15V1beeITq/yWV9dRVeZ/r7dqkxgs6gs+FeULPeSnBy9Jv
9/maQsVInQrQUk1n1H+1aoXEo1FcZ4ZjU8ww2c3F1PPdhy73En/HQJbWvGJAn2E8+i8ywizGBuCw
EGjSzKg83YcaU3TDN3+LatotgRmk6NKegTKVfvqQgiraPb4qAMx08zG/XWeiFo8vZkUGF/2WxqZE
poH6kjU7hQmzFfiG/VthUuoJFKYMixTkz4NXA6cV34X0zMglOyKTKaM3k0T26y7O+pbRcpBYqisX
tCB3Kr2BT5m4u+K5m0GT/chEL3eKgMJmCYctgfa9J0hv1Jdo96EHyEbbsdSj9xVvInOPQZ3G/rjk
fr+r/xdJX/tO3/HSHbTtBOpYzYTLBwE7Vkkv/UNxB3ho4RHCt0xsT+utaMOIoKv5ADcvsE0aPou9
dygj4eDwtrPr1D16o3R7NEP4kzID7MGrlBLf/6wAAAzkCmVuZHN0cmVhbQplbmRvYmoKMjQgMCBv
YmoKMjgyNjYKZW5kb2JqCjI1IDAgb2JqCjw8Ci9MZW5ndGggMjYgMCBSCj4+CnN0cmVhbQpxCjYx
Mi4wMCAwIDAgNzkyLjAwIDAuMDAgMC4wMCBjbQovSW0yMyBEbwpRCgplbmRzdHJlYW0KZW5kb2Jq
CjI2IDAgb2JqCjQ0CmVuZG9iagoyNyAwIG9iago8PAovVHlwZSAvUGFnZQovTWVkaWFCb3ggWyAw
LjAwIDAuMDAgNjEyLjAwIDc5Mi4wMCBdCi9Db250ZW50cyBbIDI1IDAgUiBdCi9QYXJlbnQgMyAw
IFIKL1JvdGF0ZSAwCi9SZXNvdXJjZXMgPDwKL1Byb2NTZXQgWyAvUERGIC9JbWFnZUIgXQovWE9i
amVjdCA8PAovSW0yMyAyMyAwIFIKPj4KPj4KPj4KZW5kb2JqCjIgMCBvYmoKPDwKL1R5cGUgL0Nh
dGFsb2cKL1BhZ2VzIDMgMCBSCj4+CmVuZG9iagozIDAgb2JqCjw8Ci9UeXBlIC9QYWdlcwovQ291
bnQgMQovS2lkcyBbIDI3IDAgUiBdCj4+CmVuZG9iagp4cmVmCjAgMjgKMDAwMDAwMDAwMCA2NTUz
NSBmDQowMDAwMDAwMDE1IDAwMDAwIG4NCjAwMDAwMjg5MzYgMDAwMDAgbg0KMDAwMDAyODk4NSAw
MDAwMCBuDQowMDAwMDAwMDAwIDAwMDAwIGYNCjAwMDAwMDAwMDAgMDAwMDAgZg0KMDAwMDAwMDAw
MCAwMDAwMCBmDQowMDAwMDAwMDAwIDAwMDAwIGYNCjAwMDAwMDAwMDAgMDAwMDAgZg0KMDAwMDAw
MDAwMCAwMDAwMCBmDQowMDAwMDAwMDAwIDAwMDAwIGYNCjAwMDAwMDAwMDAgMDAwMDAgZg0KMDAw
MDAwMDAwMCAwMDAwMCBmDQowMDAwMDAwMDAwIDAwMDAwIGYNCjAwMDAwMDAwMDAgMDAwMDAgZg0K
MDAwMDAwMDAwMCAwMDAwMCBmDQowMDAwMDAwMDAwIDAwMDAwIGYNCjAwMDAwMDAwMDAgMDAwMDAg
Zg0KMDAwMDAwMDAwMCAwMDAwMCBmDQowMDAwMDAwMDAwIDAwMDAwIGYNCjAwMDAwMDAwMDAgMDAw
MDAgZg0KMDAwMDAwMDAwMCAwMDAwMCBmDQowMDAwMDAwMDAwIDAwMDAwIGYNCjAwMDAwMDAxNjYg
MDAwMDAgbg0KMDAwMDAyODYwOCAwMDAwMCBuDQowMDAwMDI4NjMwIDAwMDAwIG4NCjAwMDAwMjg3
MjkgMDAwMDAgbg0KMDAwMDAyODc0OCAwMDAwMCBuDQp0cmFpbGVyCjw8Ci9TaXplIDI4Ci9Sb290
IDIgMCBSCi9JbmZvIDEgMCBSCj4+CnN0YXJ0eHJlZgoyOTA0NQolJUVPRgolQmVnaW5FeGlmVG9v
bFVwZGF0ZQp4cmVmCjAgMgowMDAwMDAwMDAxIDY1NTM1IGYgCjAwMDAwMDAwMDAgMDAwMDEgZiAK
dHJhaWxlcgo8PAovU2l6ZSAyOAovUm9vdCAyIDAgUgovUHJldiAyOTA0NQo+PgolRW5kRXhpZlRv
b2xVcGRhdGUgMjk2ODQKc3RhcnR4cmVmCjI5NzA1CiUlRU9GCg==
--=-=-=--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 9 Jan 2015 02:38:02 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 08 21:38:01 2015
Received: from localhost ([127.0.0.1]:40578 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9PSb-0000hV-GN
	for submit <at> debbugs.gnu.org; Thu, 08 Jan 2015 21:38:01 -0500
Received: from pruche.dit.umontreal.ca ([132.204.246.22]:34261)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1Y9PSX-0000hJ-86
 for 19479 <at> debbugs.gnu.org; Thu, 08 Jan 2015 21:37:59 -0500
Received: from pastel.home (lechon.iro.umontreal.ca [132.204.27.242])
 by pruche.dit.umontreal.ca (8.14.1/8.14.1) with ESMTP id t092buWJ022287;
 Thu, 8 Jan 2015 21:37:56 -0500
Received: by pastel.home (Postfix, from userid 20848)
 id 095CB53F; Thu,  8 Jan 2015 21:37:56 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Package manager vulnerable
Message-ID: <jwv4ms03cj3.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvwq4x2vi1.fsf-monnier+emacsbugs@HIDDEN>
 <quFzgVhBDz7zhUp0lS56OK32kQQjWsi4jSGZeullV6K@local>
Date: Thu, 08 Jan 2015 21:37:55 -0500
In-Reply-To: <quFzgVhBDz7zhUp0lS56OK32kQQjWsi4jSGZeullV6K@local> (Kelly Dean's
 message of "Thu, 08 Jan 2015 21:06:35 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level: 
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0.2
X-NAI-Spam-Rules: 2 Rules triggered
	GEN_SPAM_FEATRE=0.2, RV5180=0
X-NAI-Spam-Version: 2.3.0.9393 : core <5180> : inlines <1737> : streams
 <1370320> : uri <1841765>
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

>> You're one of the very rare oddballs who can't
>> be bothered to sign a trivial document to get this out of the way
> That's not true. I offered to sign a document saying my work is PD.

I didn't mean "a trivial document" in the sense "any trivial document",
but rather "the particular trivial document that everybody else signed".


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 8 Jan 2015 21:13:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 08 16:13:14 2015
Received: from localhost ([127.0.0.1]:40413 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9KOH-0001DO-Q1
	for submit <at> debbugs.gnu.org; Thu, 08 Jan 2015 16:13:14 -0500
Received: from relay6-d.mail.gandi.net ([217.70.183.198]:38270)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y9KOG-0001DG-0r
 for 19479 <at> debbugs.gnu.org; Thu, 08 Jan 2015 16:13:12 -0500
Received: from mfilter20-d.gandi.net (mfilter20-d.gandi.net [217.70.178.148])
 by relay6-d.mail.gandi.net (Postfix) with ESMTP id 295F3FB8A4;
 Thu,  8 Jan 2015 22:13:11 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter20-d.gandi.net
Received: from relay6-d.mail.gandi.net ([217.70.183.198])
 by mfilter20-d.gandi.net (mfilter20-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id oDudae0bedJC; Thu,  8 Jan 2015 22:13:09 +0100 (CET)
X-Originating-IP: 162.248.99.114
Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
 [162.248.99.114]) (Authenticated sender: kelly@HIDDEN)
 by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 07999FB87E;
 Thu,  8 Jan 2015 22:13:08 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#19479: Package manager vulnerable
In-Reply-To: <jwvwq4x2vi1.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvwq4x2vi1.fsf-monnier+emacsbugs@HIDDEN>
Date: Thu, 08 Jan 2015 21:06:35 +0000
Message-ID: <quFzgVhBDz7zhUp0lS56OK32kQQjWsi4jSGZeullV6K@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Stefan Monnier wrote:
> You're one of the very rare oddballs who can't
> be bothered to sign a trivial document to get this out of the way

That's not true. I offered to sign a document saying my work is PD.

The following say that's an option:
http://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/disclaim.manual
http://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/disclaim.changes.manual
http://git.savannah.gnu.org/cgit/gnulib.git/plain/doc/Copyright/disclaim.program

The copyright clerk declined my offer.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 8 Jan 2015 14:39:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 08 09:39:27 2015
Received: from localhost ([127.0.0.1]:39962 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9EFC-0008GU-Qh
	for submit <at> debbugs.gnu.org; Thu, 08 Jan 2015 09:39:27 -0500
Received: from pruche.dit.umontreal.ca ([132.204.246.22]:44384)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1Y9EFA-0008GM-OE
 for 19479 <at> debbugs.gnu.org; Thu, 08 Jan 2015 09:39:25 -0500
Received: from pastel.home (lechon.iro.umontreal.ca [132.204.27.242])
 by pruche.dit.umontreal.ca (8.14.1/8.14.1) with ESMTP id t08EdMNG018520;
 Thu, 8 Jan 2015 09:39:22 -0500
Received: by pastel.home (Postfix, from userid 20848)
 id 6D8221F56; Thu,  8 Jan 2015 09:39:22 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Package manager vulnerable
Message-ID: <jwvwq4x2vi1.fsf-monnier+emacsbugs@HIDDEN>
References: <nhoaqaey17.fsf@HIDDEN>
 <iKceXlDJbawOYczzAAZidbwV0Sq68CGaBNzyymlTMR2@local>
Date: Thu, 08 Jan 2015 09:39:22 -0500
In-Reply-To: <iKceXlDJbawOYczzAAZidbwV0Sq68CGaBNzyymlTMR2@local> (Kelly Dean's
 message of "Thu, 08 Jan 2015 05:29:44 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0
X-NAI-Spam-Rules: 1 Rules triggered
	RV5180=0
X-NAI-Spam-Version: 2.3.0.9393 : core <5180> : inlines <1730> : streams
 <1370080> : uri <1841707>
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 19479
Cc: Glenn Morris <rgm@HIDDEN>, 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.3 (-)

> of PD code is, I abided (and still abide) by your wishes. I submitted this
> patch because Stefan invited me to. Maybe Stefan just forgot that you ask=
ed
> me not to submit any more patches,

Indeed, that's the case.  You're one of the very rare oddballs who can't
be bothered to sign a trivial document to get this out of the way, but
for the life of me, I can't remember the names of the handful of
oddballs, so I keep repeating this error.

> but I assumed he invited this patch because a security vulnerability
> counted as a =E2=80=9Fparticular circumstance=E2=80=9D that your copyright
> clerk mentioned.

Emacs is full of vulnerabilities and has barely started using encryption
technology to try and eliminate some of them, so no, it's definitely not
"special" in this sense.  And in any case the "special"ness usually
doesn't refer to the usefulness of the code but rather to the fact that
it'd be difficult to get this code some other way (i.e. it's both
important/useful code and it'd take a while to rewrite it).


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 8 Jan 2015 11:41:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 08 06:41:19 2015
Received: from localhost ([127.0.0.1]:39908 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y9BSp-0002cX-Cy
	for submit <at> debbugs.gnu.org; Thu, 08 Jan 2015 06:41:19 -0500
Received: from relay3-d.mail.gandi.net ([217.70.183.195]:38051)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y9BSm-0002cJ-9v
 for 19479 <at> debbugs.gnu.org; Thu, 08 Jan 2015 06:41:17 -0500
Received: from mfilter17-d.gandi.net (mfilter17-d.gandi.net [217.70.178.145])
 by relay3-d.mail.gandi.net (Postfix) with ESMTP id 4EAC4A8109
 for <19479 <at> debbugs.gnu.org>; Thu,  8 Jan 2015 12:41:15 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter17-d.gandi.net
Received: from relay3-d.mail.gandi.net ([217.70.183.195])
 by mfilter17-d.gandi.net (mfilter17-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024) with ESMTP id mKUpHm4WQn4J for <19479 <at> debbugs.gnu.org>;
 Thu,  8 Jan 2015 12:41:14 +0100 (CET)
X-Originating-IP: 162.248.99.114
Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
 [162.248.99.114]) (Authenticated sender: kelly@HIDDEN)
 by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 268DDA80D8
 for <19479 <at> debbugs.gnu.org>; Thu,  8 Jan 2015 12:41:12 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: 19479 <at> debbugs.gnu.org
Subject: Re: bug#19479: Package manager vulnerable
In-Reply-To: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
References: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
 <jwvd26p7rga.fsf-monnier+emacsbugs@HIDDEN>
Date: Thu, 08 Jan 2015 11:40:25 +0000
Message-ID: <gJC92BoKwjBw4ZotCb43HoQHyLvVEn4ZGGyrbpU53VM@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

BTW, Stefan mentioned (see bug #19536) that you don't use package-x for elpa.gnu.org, and instead use some other scripts, so it just occurred to me that you might not immediately notice that my patch not only verifies hashes, but also generates them, so there's nothing extra you need to do.

Just use package-upload-file from package-x.el, and it will automatically add the appropriate entry (including hash) for the package to the archive-contents file.

Apply the fix for bug #19536 if you want package-upload-file to correctly add tar files to the archive's package directory. (It already correctly adds single-file packages.)

GNU elpa, Melpa, and Marmalade can start using the new archive-contents now. Old clients will still work fine, and simply ignore the hashes. New clients will verify them.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 8 Jan 2015 05:30:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 08 00:30:44 2015
Received: from localhost ([127.0.0.1]:39753 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y95gB-0001ee-7Q
	for submit <at> debbugs.gnu.org; Thu, 08 Jan 2015 00:30:44 -0500
Received: from relay4-d.mail.gandi.net ([217.70.183.196]:52157)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y95g5-0001eS-C0
 for 19479 <at> debbugs.gnu.org; Thu, 08 Jan 2015 00:30:39 -0500
Received: from mfilter9-d.gandi.net (mfilter9-d.gandi.net [217.70.178.138])
 by relay4-d.mail.gandi.net (Postfix) with ESMTP id C11BC17209A;
 Thu,  8 Jan 2015 06:30:35 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter9-d.gandi.net
Received: from relay4-d.mail.gandi.net ([217.70.183.196])
 by mfilter9-d.gandi.net (mfilter9-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id eGgtsvloA1bl; Thu,  8 Jan 2015 06:30:34 +0100 (CET)
X-Originating-IP: 162.248.99.114
Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
 [162.248.99.114]) (Authenticated sender: kelly@HIDDEN)
 by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 1CA0717207C;
 Thu,  8 Jan 2015 06:30:32 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Glenn Morris <rgm@HIDDEN>
Subject: Re: bug#19479: Package manager vulnerable
In-Reply-To: <nhoaqaey17.fsf@HIDDEN>
References: <nhoaqaey17.fsf@HIDDEN>
Date: Thu, 08 Jan 2015 05:29:44 +0000
Message-ID: <iKceXlDJbawOYczzAAZidbwV0Sq68CGaBNzyymlTMR2@local>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.8 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Glenn Morris wrote:
> I appreciate the spirit of wanting to provide a patch, but unless you
> have changed your position on the Emacs copyright assignment, I don't
> see that this patch can be used by Emacs.

I did do what you requested: submit a bug report, but not a patch. But th=
is isn't just a bug; it's a security vulnerability, and Stefan invited me=
 to submit a patch to fix it. So then I did.

Regarding the copyright issue, please don't conflate two separate issues =
like your copyright clerk tried to.

The first issue is: does the FSF want any more public domain code in Emac=
s than is already there? The answer is =E2=80=9Fno=E2=80=9D, as explained=
 by Donald R Robertson III, your copyright clerk, on February 19, 2013. W=
hen explaining why the FSF wouldn't accept my PD code, he wrote, =E2=80=9F=
It really is more beneficial for our enforcement efforts if we get the wo=
rk assigned instead of 'disclaimed'. We will only accept a disclaimer ins=
tead of an assignment in particular circumstances.=E2=80=9D

Of course, he's right; PD code isn't useful for your enforcement efforts,=
 but it's absurd to say it's an issue for my patches, which even includin=
g this latest one, amount to no more than a few parts per million of the =
Emacs code base. Obviously it doesn't hurt your efforts; no copyright jud=
ge is going to care if Emacs has a few lines of Hamlet or any other PD in=
formation in it. The judge will let you sue people for GPL violations jus=
t the same.

Anyway, the first issue is clear: new PD code is unwelcome in Emacs. Emac=
s is your project, not mine, so regardless of how silly I think your excl=
usion of PD code is, I abided (and still abide) by your wishes. I submitt=
ed this patch because Stefan invited me to. Maybe Stefan just forgot that=
 you asked me not to submit any more patches, but I assumed he invited th=
is patch because a security vulnerability counted as a =E2=80=9Fparticula=
r circumstance=E2=80=9D that your copyright clerk mentioned.

The second issue is: is my code in the public domain? The answer is =E2=80=
=9Fyes=E2=80=9D; the author of SQLite says that's PD, and it is, the auth=
or of Qmail says that's PD, and it is, and I'm simply doing the same thin=
g they are. My code is in the public domain. If you want, I can PGP-sign =
and publish on my website a statement that my patches are PD, even though=
 that's more than the authors of SQLite and Qmail deemed necessary for th=
eir code.

Your clerk wrote, =E2=80=9Fplacing a work in the public domain is difficu=
lt/may not be possible=E2=80=9D. But that's obviously false, as proven by=
 his statement that you do (sometimes) accept disclaimers, and as proven =
by the general legal acceptance of other people's statements that their w=
ork is PD, including highly respected authors such as Richard Hipp.

It's clear that the second issue is not an issue, especially in the Unite=
d States, which is where I am, and the only purpose served by the FSF bri=
nging it up is clouding the first issue, which is the only real issue.

I recommend not rejecting a patch to fix a security vulnerability just fo=
r the sake of keeping 29 lines of new PD code out of Emacs. If it really =
is too much PD code, then I recommend deleting feedmail.el (PD) to compen=
sate.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 8 Jan 2015 03:45:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 07 22:45:00 2015
Received: from localhost ([127.0.0.1]:39731 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y941r-00069P-Uj
	for submit <at> debbugs.gnu.org; Wed, 07 Jan 2015 22:45:00 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:46256)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rgm@HIDDEN>) id 1Y941q-00069H-2f
 for 19479 <at> debbugs.gnu.org; Wed, 07 Jan 2015 22:44:58 -0500
Received: from rgm by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rgm@HIDDEN>)
 id 1Y941l-00010t-Me; Wed, 07 Jan 2015 22:44:54 -0500
From: Glenn Morris <rgm@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: [PATCH] Re: bug#19479: Package manager vulnerable
References: <jwvsifq7zbm.fsf-monnier+emacsbugs@HIDDEN>
 <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
X-Spook: Becker Clinton ASIO MP5K-SD Al Jazeera Dick Cheney IRA
X-Ran: YL^z>tfo">v-k|{_EMU~Xp6(PyGt^U+2BT(jJ!=vN7w*~2t[#/ejUos`Y8%*!/^-{k5pB\
X-Hue: green
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Wed, 07 Jan 2015 22:44:52 -0500
In-Reply-To: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local> (Kelly Dean's
 message of "Thu, 08 Jan 2015 03:31:01 +0000")
Message-ID: <nhoaqaey17.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: Stefan Monnier <monnier@HIDDEN>, 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)


I appreciate the spirit of wanting to provide a patch, but unless you
have changed your position on the Emacs copyright assignment, I don't
see that this patch can be used by Emacs.

(Ref: http://debbugs.gnu.org/14492#19)




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 8 Jan 2015 03:32:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 07 22:32:40 2015
Received: from localhost ([127.0.0.1]:39713 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y93pv-0005nh-Gx
	for submit <at> debbugs.gnu.org; Wed, 07 Jan 2015 22:32:40 -0500
Received: from relay3-d.mail.gandi.net ([217.70.183.195]:51833)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y93ps-0005nW-JX
 for 19479 <at> debbugs.gnu.org; Wed, 07 Jan 2015 22:32:37 -0500
Received: from mfilter23-d.gandi.net (mfilter23-d.gandi.net [217.70.178.151])
 by relay3-d.mail.gandi.net (Postfix) with ESMTP id 9A27CA80AC;
 Thu,  8 Jan 2015 04:32:35 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter23-d.gandi.net
Received: from relay3-d.mail.gandi.net ([217.70.183.195])
 by mfilter23-d.gandi.net (mfilter23-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id p4Q03FemWhim; Thu,  8 Jan 2015 04:32:34 +0100 (CET)
X-Originating-IP: 162.248.99.114
Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
 [162.248.99.114]) (Authenticated sender: kelly@HIDDEN)
 by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 9E9F0A80B5;
 Thu,  8 Jan 2015 04:32:31 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: [PATCH] Re: bug#19479: Package manager vulnerable
In-Reply-To: <jwvsifq7zbm.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvsifq7zbm.fsf-monnier+emacsbugs@HIDDEN>
Date: Thu, 08 Jan 2015 03:31:01 +0000
Message-ID: <iHwGTo6KPGu52f1tOLq6Ek7KcZ7r2tufrT1z4GnPndF@local>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

--=-=-=
Content-Type: text/plain

Stefan Monnier wrote:
> > If filenames include version numbers and the version numbers are never
> > reused,
>
> The ELPA system in general does not enforce that.  But the GNU ELPA
> scripts do, and other ELPA servers work in a way that should generally
> make sure this is also the case.

But having security rely on that makes it easier than necessary to accidentally open a window of vulnerability by failing to enforce that constraint. It's a brittle solution.

>> then your solution does prevent package replay attacks. Since Emacs
>> packages already include a Version header (and the package name), you could
>> actually do your proposed verification using that header, without changing
>> the way signatures are currently made, which is a solution I addressed in my
>> original emacs-devel message.
>
> Indeed, I realized this just after I sent my message.
> So we can fix this problem simply by changing package.el so as to check
> that the name&version of the downloaded file match the name&version
> contained therein.
> Patch welcome.

Ok, but as I explained in my original message, that solution still makes the attacker's job easier than necessary in some cases. Verifying the hash is a more robust solution than verifying the version number, so my patch below verifies the hash.

This is forward compatible. You can install this now and start putting archive-contents with hashes on elpa (and melpa and marmalade), and old clients will simply ignore the hashes and operate as usual.

BTW, one happy side effect of properly fixing this vulnerability is eliminating melpa's incentive to mangle package version numbers (they're mangled apparently to deal with the problem of package maintainers reusing version numbers).

> It should be fairly easy to add a timestamp in there without
> causing any backward incompatibility.

Unfortunately, I don't see how to add timestamps to archive-contents without breaking old clients, so the metadata replay vulnerability will have to remain open until you decide how to handle the compatibility problem. My patch here only fixes the package replay vulnerability.

--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline; filename=package-replay-vuln.patch

--- emacs-24.4/lisp/emacs-lisp/package.el
+++ emacs-24.4/lisp/emacs-lisp/package.el
@@ -314,6 +314,11 @@
 
 (defvar package--default-summary "No description available.")
 
+(defvar package-hashfun 'sha256 "Function for secure hashing.")
+
+(defvar package-acceptable-hashfuns '(sha256)
+  "Past and current `package-hashfun' functions that are still secure.")
+
 (cl-defstruct (package-desc
                ;; Rename the default constructor from `make-package-desc'.
                (:constructor package-desc-create)
@@ -843,6 +848,20 @@
                          (epg-context-result-for context 'verify)))
         good-signatures))))
 
+(defun package--check-size (pkg-desc)
+  (eq (cdr (assoc :size (package-desc-extras pkg-desc)))
+      (pcase (package-desc-kind pkg-desc)
+	(`single (string-bytes (buffer-string)))
+	(`tar (buffer-size)) ; Because insert-file-contents mangled the literal
+	(kind (error "Unknown package kind: %s" kind)))))
+
+(defun package--check-hash (pkg-desc)
+  (let* ((x (cdr (assoc :hash (package-desc-extras pkg-desc))))
+	 (hashfun (car x)) ; Avoid Git's shortsightedness
+	 (hash (cadr x)))
+    (and (memq hashfun package-acceptable-hashfuns)
+	 (string= hash (secure-hash hashfun (current-buffer))))))
+
 (defun package-install-from-archive (pkg-desc)
   "Download and install a tar package."
   (let* ((location (package-archive-base pkg-desc))
@@ -859,6 +878,10 @@
 	    (unless (eq package-check-signature 'allow-unsigned)
 	      (error "Unsigned package: `%s'"
 		     (package-desc-name pkg-desc)))))
+      (unless (package--check-size pkg-desc)
+	(error "File size not correct: %s" (package-desc-name pkg-desc)))
+      (unless (package--check-hash pkg-desc)
+	(error "Failed to verify hash: %s" (package-desc-name pkg-desc)))
       (package-unpack pkg-desc))
     ;; Here the package has been installed successfully, mark it as
     ;; signed if appropriate.
@@ -1172,7 +1195,10 @@
            (package--prepare-dependencies
             (package-read-from-string requires-str)))
        :kind 'single
-       :url homepage))))
+       :url homepage
+       :size (string-bytes (buffer-string))
+       :hash (list package-hashfun
+		   (secure-hash package-hashfun (current-buffer)))))))
 
 (declare-function tar-get-file-descriptor "tar-mode" (file))
 (declare-function tar--extract "tar-mode" (descriptor))
@@ -1184,7 +1210,10 @@
   (let* ((dir-name (file-name-directory
                     (tar-header-name (car tar-parse-info))))
          (desc-file (package--description-file dir-name))
-         (tar-desc (tar-get-file-descriptor (concat dir-name desc-file))))
+         (tar-desc (tar-get-file-descriptor (concat dir-name desc-file)))
+	 (size (buffer-size tar-data-buffer))
+	 (hash (list package-hashfun
+		     (secure-hash package-hashfun tar-data-buffer))))
     (unless tar-desc
       (error "No package descriptor file found"))
     (with-current-buffer (tar--extract tar-desc)
@@ -1196,7 +1225,8 @@
                       (error "Can't find define-package in %s"
                              (tar-header-name tar-desc))
                     (apply #'package-desc-from-define
-                           (append (cdr pkg-def-parsed))))))
+                           (append (cdr pkg-def-parsed)
+				   (list :size size :hash hash))))))
             (setf (package-desc-kind pkg-desc) 'tar)
             pkg-desc)
         (kill-buffer (current-buffer))))))

--=-=-=--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 7 Jan 2015 04:27:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 06 23:27:06 2015
Received: from localhost ([127.0.0.1]:39086 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y8iD4-0003rm-5S
	for submit <at> debbugs.gnu.org; Tue, 06 Jan 2015 23:27:06 -0500
Received: from fencepost.gnu.org ([208.118.235.10]:53088)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <rms@HIDDEN>) id 1Y8iD2-0003rf-Tv
 for 19479 <at> debbugs.gnu.org; Tue, 06 Jan 2015 23:27:05 -0500
Received: from rms by fencepost.gnu.org with local (Exim 4.71)
 (envelope-from <rms@HIDDEN>)
 id 1Y8iD1-0006ot-QC; Tue, 06 Jan 2015 23:27:03 -0500
Date: Tue, 06 Jan 2015 23:27:03 -0500
Message-Id: <E1Y8iD1-0006ot-QC@HIDDEN>
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
In-reply-to: <7H65S0MOziz4Z4bzCiATJJDvxaiWHmPOI3K95M87DGM@local> (message from
 Kelly Dean on Tue, 06 Jan 2015 06:38:12 +0000)
Subject: Re: bug#19479: Package manager vulnerable
References: <E1Y8Bor-0003yH-Mu@HIDDEN>
 <7H65S0MOziz4Z4bzCiATJJDvxaiWHmPOI3K95M87DGM@local>
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: rms@HIDDEN
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > If you expect him to know the latest version number of a package
  > (without relying on the gnu.org webserver to find out, in case
  > it's compromised),

It is normal for users to find the latest version based on gnu.org.
So we don't expect that.

   > and you expect him to manually verify that his download is the
   > latest version (in addition to verifying the signature, of
   > course),

The file name has the version in it.

So it seems we have a problem to fix.  Would you like to help
us fix it?

-- 
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org  www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
  Use Ekiga or an ordinary phone call.





Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 6 Jan 2015 06:39:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 06 01:39:08 2015
Received: from localhost ([127.0.0.1]:37938 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y8NnH-0008W4-EJ
	for submit <at> debbugs.gnu.org; Tue, 06 Jan 2015 01:39:08 -0500
Received: from relay5-d.mail.gandi.net ([217.70.183.197]:35980)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y8NnA-0008VX-U6
 for 19479 <at> debbugs.gnu.org; Tue, 06 Jan 2015 01:39:02 -0500
Received: from mfilter9-d.gandi.net (mfilter9-d.gandi.net [217.70.178.138])
 by relay5-d.mail.gandi.net (Postfix) with ESMTP id 161F641C05D;
 Tue,  6 Jan 2015 07:38:59 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter9-d.gandi.net
Received: from relay5-d.mail.gandi.net ([217.70.183.197])
 by mfilter9-d.gandi.net (mfilter9-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id 5WPg4xNyBOOO; Tue,  6 Jan 2015 07:38:57 +0100 (CET)
X-Originating-IP: 162.248.99.114
Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
 [162.248.99.114]) (Authenticated sender: kelly@HIDDEN)
 by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id C198841C06A;
 Tue,  6 Jan 2015 07:38:56 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Richard Stallman <rms@HIDDEN>
Subject: Re: bug#19479: Package manager vulnerable
References: <E1Y8Bor-0003yH-Mu@HIDDEN>
In-reply-to: <E1Y8Bor-0003yH-Mu@HIDDEN>
Date: Tue, 06 Jan 2015 06:38:12 +0000
Message-ID: <7H65S0MOziz4Z4bzCiATJJDvxaiWHmPOI3K95M87DGM@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Richard Stallman wrote:
> What do we need to do on ftp.gnu.org to avoid these dangers?

It depends on what you expect the user's responsibility to be.

If you expect him to know the latest version number of a package (without relying on the gnu.org webserver to find out, in case it's compromised), and you expect him to manually verify that his download is the latest version (in addition to verifying the signature, of course), and you give him the ability to do this by always including both the name and the version number in your packages (so far as I'm aware, you already do) and never re-using version numbers (I think you're ok here too), then you have no problem, so there's nothing you need to do.

Otherwise, the problems and solution are the same as for package distribution systems in general, as detailed at
https://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html
https://www.cs.arizona.edu/stork/packagemanagersecurity/otherattacks.html




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 5 Jan 2015 02:16:08 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 04 21:16:08 2015
Received: from localhost ([127.0.0.1]:36826 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y7xDE-0000ed-DZ
	for submit <at> debbugs.gnu.org; Sun, 04 Jan 2015 21:16:08 -0500
Received: from ironport2-out.teksavvy.com ([206.248.154.181]:28491)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1Y7xDC-0000eT-1U
 for 19479 <at> debbugs.gnu.org; Sun, 04 Jan 2015 21:16:06 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjwPAOwQflRFpY0B/2dsb2JhbABbgweDYIVaxR0EAgKBJBcBAQEBAQF8hAMBAQMBViMFCws0EhQYDSQuiBwJ1lkBAQEBBgEBAQEejTaDOQeESAWLAYxVBYVXjHSCf4IKgXiEGSGCdwEBAQ
X-IPAS-Result: AjwPAOwQflRFpY0B/2dsb2JhbABbgweDYIVaxR0EAgKBJBcBAQEBAQF8hAMBAQMBViMFCws0EhQYDSQuiBwJ1lkBAQEBBgEBAQEejTaDOQeESAWLAYxVBYVXjHSCf4IKgXiEGSGCdwEBAQ
X-IronPort-AV: E=Sophos;i="5.07,502,1413259200"; d="scan'208";a="106581645"
Received: from 69-165-141-1.dsl.teksavvy.com (HELO pastel.home)
 ([69.165.141.1])
 by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA;
 04 Jan 2015 21:16:05 -0500
Received: by pastel.home (Postfix, from userid 20848)
 id 46E7D2527; Sun,  4 Jan 2015 21:16:00 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Package manager vulnerable
Message-ID: <jwvsifq7zbm.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvk3129vcv.fsf-monnier+emacsbugs@HIDDEN>
 <n8t12ARtBOP2IyF6ar4BeFkfjejJKEoGanRQ7q6LPrq@local>
Date: Sun, 04 Jan 2015 21:16:00 -0500
In-Reply-To: <n8t12ARtBOP2IyF6ar4BeFkfjejJKEoGanRQ7q6LPrq@local> (Kelly Dean's
 message of "Mon, 05 Jan 2015 01:11:40 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

> If filenames include version numbers and the version numbers are never
> reused,

The ELPA system in general does not enforce that.  But the GNU ELPA
scripts do, and other ELPA servers work in a way that should generally
make sure this is also the case.

> then your solution does prevent package replay attacks. Since Emacs
> packages already include a Version header (and the package name), you could
> actually do your proposed verification using that header, without changing
> the way signatures are currently made, which is a solution I addressed in my
> original emacs-devel message.

Indeed, I realized this just after I sent my message.
So we can fix this problem simply by changing package.el so as to check
that the name&version of the downloaded file match the name&version
contained therein.
Patch welcome.

> But remember, none of the above prevents metadata replay attacks. If the
> user himself is specifying the metadata (e.g. you manually request Emacs
> 24.4 because you know that's the latest version), then verification to
> prevent metadata replay attacks isn't the computer's job. But when the user
> just says to update some package(s) to the latest version, without
> specifying the version, then it is the computer's job. For this,
> put a timestamp of the archive-contents file into the file itself.

Agreed.  It should be fairly easy to add a timestamp in there without
causing any backward incompatibility.


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 5 Jan 2015 01:12:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 04 20:12:29 2015
Received: from localhost ([127.0.0.1]:36792 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y7wDc-0006C7-ES
	for submit <at> debbugs.gnu.org; Sun, 04 Jan 2015 20:12:28 -0500
Received: from relay6-d.mail.gandi.net ([217.70.183.198]:60514)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y7wDa-0006Bz-Fx
 for 19479 <at> debbugs.gnu.org; Sun, 04 Jan 2015 20:12:27 -0500
Received: from mfilter3-d.gandi.net (mfilter3-d.gandi.net [217.70.178.133])
 by relay6-d.mail.gandi.net (Postfix) with ESMTP id B70BBFB87D;
 Mon,  5 Jan 2015 02:12:25 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter3-d.gandi.net
Received: from relay6-d.mail.gandi.net ([217.70.183.198])
 by mfilter3-d.gandi.net (mfilter3-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id NGVQfDuhw36v; Mon,  5 Jan 2015 02:12:24 +0100 (CET)
X-Originating-IP: 162.248.99.114
Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
 [162.248.99.114]) (Authenticated sender: kelly@HIDDEN)
 by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 1FDD6FB86E;
 Mon,  5 Jan 2015 02:12:21 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#19479: Package manager vulnerable
In-Reply-To: <jwvk3129vcv.fsf-monnier+emacsbugs@HIDDEN>
References: <jwvk3129vcv.fsf-monnier+emacsbugs@HIDDEN>
Date: Mon, 05 Jan 2015 01:11:40 +0000
Message-ID: <n8t12ARtBOP2IyF6ar4BeFkfjejJKEoGanRQ7q6LPrq@local>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Stefan Monnier wrote:
> AFAICT, this vulnerability also applies to the way GNU packages are
> distributed in ftp.gnu.org (i.e. as a tarball plus a .sig file).
>
> Is that right?

Yes, because there are no hashes in, or signatures on, http://ftp.gnu.org/find.txt.gz or http://ftp.gnu.org/ls-lrRt.txt.gz

They used to do it right; see
http://ftp.gnu.org/before-2003-08-01.md5sums.asc

But it looks like they stopped.

Having to redo a huge monolithic metadata file whenever any data file changes is inefficient; it's more efficient for the metadata for each directory to just have the hash of each file in the directory and the hash of the metadata of each subdirectory, like Git does. But either way will prevent package replay attacks.

>> Executive summary to fix the vulnerabilities:
>
> Another way to attack the problem is to include the file name along with
> its content in "the thing that gets signed".
> I.e. the signature shouldn't apply to the output of "cat <foo>" but to
> the output of "echo <foo>; cat <foo>".
>
> This way an attacker can't take <vulnerable>.tar along with
> <vulnerable>.tar.sig and send them off as <safe>.tar along with
> <safe>.tar.sig.

If filenames include version numbers and the version numbers are never reused, then your solution does prevent package replay attacks. Since Emacs packages already include a Version header (and the package name), you could actually do your proposed verification using that header, without changing the way signatures are currently made, which is a solution I addressed in my original emacs-devel message.

But having a list of hashes of all the packages (and even better, chaining together all the versions of that list) makes changes to any package more conspicuous, which makes the attacker's job harder, as I explained. And if you do that, then the elpa key no longer needs to sign individual packages at all. Git, Fossil, and Debian's apt-get use hash lists, and Git and Fossil also chain together the lists, so there's good precedence. Both are simple to do for Emacs: in the archive-contents file, include the hash of each package and the hash of the previous version of archive-contents.

But remember, none of the above prevents metadata replay attacks. If the user himself is specifying the metadata (e.g. you manually request Emacs 24.4 because you know that's the latest version), then verification to prevent metadata replay attacks isn't the computer's job. But when the user just says to update some package(s) to the latest version, without specifying the version, then it is the computer's job. For this, put a timestamp of the archive-contents file into the file itself.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at 19479 <at> debbugs.gnu.org:


Received: (at 19479) by debbugs.gnu.org; 4 Jan 2015 20:00:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 04 15:00:48 2015
Received: from localhost ([127.0.0.1]:36609 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y7rLz-0006tZ-Iw
	for submit <at> debbugs.gnu.org; Sun, 04 Jan 2015 15:00:47 -0500
Received: from ironport2-out.teksavvy.com ([206.248.154.181]:51727)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <monnier@HIDDEN>) id 1Y7rLw-0006tQ-OJ
 for 19479 <at> debbugs.gnu.org; Sun, 04 Jan 2015 15:00:45 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqkPAOwQflRFpY0B/2dsb2JhbABbgwdSWYI1UIUKvl8bCoYZBAICgSQXAQEBAQEBfIQDAQEBAgEBAiAzIwULCxoCGA4CAhQUBA0kiEoJDb95llMBAQEBAQUBAQEBAQEYBIErjAuDBjMHgnWBUwWLAYoegjcFgT2WF4F4hBkhMAGCRgEBAQ
X-IPAS-Result: AqkPAOwQflRFpY0B/2dsb2JhbABbgwdSWYI1UIUKvl8bCoYZBAICgSQXAQEBAQEBfIQDAQEBAgEBAiAzIwULCxoCGA4CAhQUBA0kiEoJDb95llMBAQEBAQUBAQEBAQEYBIErjAuDBjMHgnWBUwWLAYoegjcFgT2WF4F4hBkhMAGCRgEBAQ
X-IronPort-AV: E=Sophos;i="5.07,502,1413259200"; d="scan'208";a="106532447"
Received: from 69-165-141-1.dsl.teksavvy.com (HELO ceviche.home)
 ([69.165.141.1])
 by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA;
 04 Jan 2015 15:00:44 -0500
Received: by ceviche.home (Postfix, from userid 20848)
 id E704866100; Sun,  4 Jan 2015 15:00:43 -0500 (EST)
From: Stefan Monnier <monnier@HIDDEN>
To: Kelly Dean <kelly@HIDDEN>
Subject: Re: bug#19479: Package manager vulnerable
Message-ID: <jwvk3129vcv.fsf-monnier+emacsbugs@HIDDEN>
References: <qRgJhF1EfrtAmBqmyTLGcOkoyCcHP7kWm6t8KBDxra2@local>
 <OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local>
Date: Sun, 04 Jan 2015 15:00:43 -0500
In-Reply-To: <OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local> (Kelly Dean's
 message of "Thu, 01 Jan 2015 12:38:59 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 19479
Cc: 19479 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

> For details, see my message with subject =E2=8C=9CEmacs package manager v=
ulnerable
> to replay attacks=E2=8C=9D to emacs-devel on 30 Dec 2014:
> https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html

AFAICT, this vulnerability also applies to the way GNU packages are
distributed in ftp.gnu.org (i.e. as a tarball plus a .sig file).

Is that right?

> Executive summary to fix the vulnerabilities:

Another way to attack the problem is to include the file name along with
its content in "the thing that gets signed".
I.e. the signature shouldn't apply to the output of "cat <foo>" but to
the output of "echo <foo>; cat <foo>".

This way an attacker can't take <vulnerable>.tar along with
<vulnerable>.tar.sig and send them off as <safe>.tar along with
<safe>.tar.sig.


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 1 Jan 2015 12:40:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 01 07:40:00 2015
Received: from localhost ([127.0.0.1]:34089 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1Y6f2l-0005XM-Rl
	for submit <at> debbugs.gnu.org; Thu, 01 Jan 2015 07:40:00 -0500
Received: from eggs.gnu.org ([208.118.235.92]:54731)
 by debbugs.gnu.org with esmtp (Exim 4.80)
 (envelope-from <kelly@HIDDEN>) id 1Y6f2i-0005XD-9h
 for submit <at> debbugs.gnu.org; Thu, 01 Jan 2015 07:39:57 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <kelly@HIDDEN>) id 1Y6f2g-0002ca-Ei
 for submit <at> debbugs.gnu.org; Thu, 01 Jan 2015 07:39:55 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:56488)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <kelly@HIDDEN>) id 1Y6f2g-0002cW-CT
 for submit <at> debbugs.gnu.org; Thu, 01 Jan 2015 07:39:54 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56453)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <kelly@HIDDEN>) id 1Y6f2e-0005BI-Qq
 for bug-gnu-emacs@HIDDEN; Thu, 01 Jan 2015 07:39:54 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <kelly@HIDDEN>) id 1Y6f2b-0002YZ-Jt
 for bug-gnu-emacs@HIDDEN; Thu, 01 Jan 2015 07:39:52 -0500
Received: from relay4-d.mail.gandi.net ([2001:4b98:c:538::196]:45559)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <kelly@HIDDEN>) id 1Y6f2b-0002YE-B9
 for bug-gnu-emacs@HIDDEN; Thu, 01 Jan 2015 07:39:49 -0500
Received: from mfilter23-d.gandi.net (mfilter23-d.gandi.net [217.70.178.151])
 by relay4-d.mail.gandi.net (Postfix) with ESMTP id AA192172055
 for <bug-gnu-emacs@HIDDEN>; Thu,  1 Jan 2015 13:39:48 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter23-d.gandi.net
Received: from relay4-d.mail.gandi.net ([217.70.183.196])
 by mfilter23-d.gandi.net (mfilter23-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024) with ESMTP id glmg8rq7mzjV for <bug-gnu-emacs@HIDDEN>;
 Thu,  1 Jan 2015 13:39:47 +0100 (CET)
X-Originating-IP: 162.248.99.114
Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net
 [162.248.99.114]) (Authenticated sender: kelly@HIDDEN)
 by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 06A0F172071
 for <bug-gnu-emacs@HIDDEN>; Thu,  1 Jan 2015 13:39:45 +0100 (CET)
From: Kelly Dean <kelly@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: Package manager vulnerable
References: <qRgJhF1EfrtAmBqmyTLGcOkoyCcHP7kWm6t8KBDxra2@local>
Date: Thu, 01 Jan 2015 12:38:59 +0000
Message-ID: <OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Ivan Shmakov requested that I send this message to the bug list.

For details, see my message with subject =E2=8C=9CEmacs package manager v=
ulnerable to replay attacks=E2=8C=9D to emacs-devel on 30 Dec 2014:
https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html

Executive summary to fix the vulnerabilities:

0. Include a hash and length of each package's content in the package's r=
ecord in archive-contents, rather than only including the package name an=
d version number in that file as Emacs currently does. Barf if a package =
hash doesn't verify, regardless of whether any signatures verify.
(Length technically not necessary, but still generally useful, e.g. if th=
ere's a length mismatch then you know there's a content mismatch and you =
don't have to bother checking the hash.)

Stop distributing elpa-key signatures of packages, since they're superflu=
ous if you have package hashes in archive-contents and have elpa-key sign=
atures of archive-contents, and you already have the latter.

1. Include a timestamp of archive-contents in that file itself (so that t=
he signature in archive-contents.sig depends on the timestamp, so that th=
e timestamp can't be forged), and have Emacs ignore any new archive-conte=
nts that's older than the latest valid one that Emacs has already seen or=
 is older than some specified limit. One thing I forgot to mention in my =
original message: have Emacs signal a warning if it ever sees an archive-=
contents dated in the future, which indicates misconfiguration of the cli=
ent or server (or of course, some kind of mischief).

Optional alternative timestamp handling, as Ivan pointed out that Debian =
does (at least sometimes): Instead of expiring archive-contents after som=
e limit configured in Emacs, put an explicit expiration date in it. Perso=
nally, I don't like server-supplied expiration dates, kind of for a simil=
ar reason that RMS doesn't like server-supplied Javascript, or maybe just=
 because I have too many irritating memories of expired SSL certs.

Ivan suggested maybe filing those as separate bug reports, but it's point=
less to fix either of them unless both are fixed, so it makes more sense =
to include them together.

One more feature: include in each version of archive-contents a hash (and=
 length) of the previous version of that file. This isn't necessary for p=
reventing any of the vulnerabilities above, but it's easy insurance that =
slightly mitigates the disaster if the metadata signing key is compromise=
d. It's pointless unless both the above problems are fixed, so it makes s=
ense to put it here.

BTW, check whether Emacs is vulnerable to endless-data attack. (I haven't=
.) If it is, then the length field mentioned above (which is a good idea =
in any case) will assist in early detection of this attack. This belongs =
here because... well no it doesn't, but I don't want to file a separate b=
ug report for it because the report would be bogus if it turns out Emacs =
isn't vulnerable, and I've already filled my bogusness quota for the week=
.




Acknowledgement sent to Kelly Dean <kelly@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#19479; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sat, 2 Sep 2017 12:30:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.