emacs: mark version < 30 as insecure and tell users to use emacs30

[jian-lin]

related: #384575

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[jian-lin]

Currently, emacs-macport has no maintainer and probably has more CVEs since it is only 29.1 in Nixpkgs. Hopefully, some affected users of this PR will volunteer to maintain it.

[nixpkgs-ci]

Successfully created backport PR for release-24.11:

• [Backport release-24.11] emacs: mark version < 30 as insecure and tell users to use emacs30 #386238

[K900]

So this broke every single package that depends on the emacs alias, like xdp-tools, and probably more.

[K900]

It also made Emacs no longer get built on Hydra: https://hydra.nixos.org/eval/1812644

[jian-lin]

So this broke every single package that depends on the emacs alias, like xdp-tools, and probably more.

Yes, packages having emacs, emacs-nox or emacs-gtk in their dependency closure are transitively insecure. This is not a good user experience.

Here is the list of 75 those packages (emacs and emacs lisp packages are not included below):

Details

• aerc
• afew
• afew.dist
• afew.doc
• afew.man
• agda
• alot
• alot.dist
• astroid
• auctex
• auctex.tex
• cflow
• cscope
• easycrypt
• emacs-lsp-booster
• emacspeak
• framac
• i3status-rust
• idutils
• knot-dns
• knot-dns.bin
• knot-dns.dev
• knot-resolver
• knot-resolver.dev
• lbdb
• lieer
• lieer.dist
• mozart2
• mozart2-binary
• mu
• mu.mu4e
• muchsync
• mujmap
• neomutt
• notifymuch
• notifymuch.dist
• notmuch
• notmuch-addrlookup
• notmuch-mailmover
• notmuch.bindingconfig
• notmuch.emacs
• notmuch.info
• notmuch.man
• notmuch.vim (vimPlugins.notmuch-vim ,vimPlugins.notmuch-vim.bindingconfig ,vimPlugins.notmuch-vim.emacs ,vimPlugins.notmuch-vim.info ,vimPlugins.notmuch-vim.man ,vimPlugins.notmuch-vim.vim)
• ocamlPackages.lambdapi
• ovn
• prometheus-knot-exporter
• prometheus-knot-exporter.dist
• pycflow2dot (python312Packages.pycflow2dot)
• pycflow2dot.dist (python312Packages.pycflow2dot.dist)
• python312Packages.libknot
• python312Packages.libknot.dist
• python312Packages.notmuch
• python312Packages.notmuch.dist
• python312Packages.notmuch2
• python312Packages.notmuch2.dist
• python313Packages.libknot
• python313Packages.libknot.dist
• python313Packages.notmuch
• python313Packages.notmuch.dist
• python313Packages.notmuch2
• python313Packages.notmuch2.dist
• python313Packages.pycflow2dot
• python313Packages.pycflow2dot.dist
• rtags
• supercollider_scel
• trexio
• trexio.dev
• tuntox
• vimPlugins.vim-agda
• why3
• why3.dev
• xdp-tools
• xdp-tools.lib

---

I proposed #386348 as a workaround. To avoid staging, it lets hydra not build Emacs lisp packages, which may have a smaller impact than this PR.

BTW, since hydra evaluator now runs on a more powerful hardware, are 6347 small Emacs lisp packages still considered "massive rebuilds"? CC @vcunat @Hexa