Package: emacs25
Version: 25.1+1-4
Debian ships Emacs with the default configuration, which means it installs a
separate program 'movemail' that retrieves email via the POP3 protocol. When it
uses POP3, 'movemail' supports only unencrypted mail transfer, which is a
significant security problem for people reading their email.
To avoid this problem, I suggest that Debian build emacs via './configure
--without-pop', as this disables POP in movemail. Although this will remove a
feature, the feature is so insecure that it cannot be recommended.
When Emacs 26 comes out, its ./configure program will have an option
--with-mailutils, and I suggest that Debian use this option and make the
'mailutils' package a prerequisite for Emacs. This will add support for
encrypted POP3 email, thus restoring the POP3 capability lost by using
--without-pop.
Thanks.
