From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.bugs Subject: bug#14380: 24.3; `network-stream-open-tls' fails in some imap servers on w32 Date: Fri, 24 May 2013 15:48:20 -0400 Organization: =?UTF-8?Q?=D0=A2=D0=B5=D0=BE=D0=B4=D0=BE=D1=80_?= =?UTF-8?Q?=D0=97=D0=BB=D0=B0=D1=82=D0=B0=D0=BD=D0=BE=D0=B2?= @ Cienfuegos Message-ID: <87y5b417nf.fsf@lifelogs.com> References: <87k3mw79iv.fsf@lifelogs.com> <87zjvr64lt.fsf_-_@lifelogs.com> <83r4h3vvca.fsf@gnu.org> <878v394uwk.fsf@lifelogs.com> <834ndxwr7r.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1369424953 18477 80.91.229.3 (24 May 2013 19:49:13 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 24 May 2013 19:49:13 +0000 (UTC) Cc: 14380@debbugs.gnu.org, joaotavora@gmail.com To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri May 24 21:49:13 2013 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1UfxzF-0001OJ-2u for geb-bug-gnu-emacs@m.gmane.org; Fri, 24 May 2013 21:49:13 +0200 Original-Received: from localhost ([::1]:37366 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UfxzE-00041o-Kh for geb-bug-gnu-emacs@m.gmane.org; Fri, 24 May 2013 15:49:12 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:33948) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UfxzA-00040c-JM for bug-gnu-emacs@gnu.org; Fri, 24 May 2013 15:49:10 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Ufxz8-0001Dg-Jb for bug-gnu-emacs@gnu.org; Fri, 24 May 2013 15:49:08 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:44238) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Ufxz8-0001DT-Fy for bug-gnu-emacs@gnu.org; Fri, 24 May 2013 15:49:06 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1Ufy02-0003mT-6Z; Fri, 24 May 2013 15:50:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Ted Zlatanov Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org Resent-Date: Fri, 24 May 2013 19:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 14380 X-GNU-PR-Package: emacs,gnus X-GNU-PR-Keywords: Original-Received: via spool by 14380-submit@debbugs.gnu.org id=B14380.136942497014471 (code B ref 14380); Fri, 24 May 2013 19:50:02 +0000 Original-Received: (at 14380) by debbugs.gnu.org; 24 May 2013 19:49:30 +0000 Original-Received: from localhost ([127.0.0.1]:60827 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1UfxzV-0003lM-4U for submit@debbugs.gnu.org; Fri, 24 May 2013 15:49:29 -0400 Original-Received: from mail-vb0-f48.google.com ([209.85.212.48]:63028) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1UfxzS-0003l7-Gx for 14380@debbugs.gnu.org; Fri, 24 May 2013 15:49:28 -0400 Original-Received: by mail-vb0-f48.google.com with SMTP id w8so2421706vbf.7 for <14380@debbugs.gnu.org>; Fri, 24 May 2013 12:48:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifelogs.com; s=google; h=from:to:cc:subject:organization:references:x-face:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type; bh=bzfEycKQzPM1SfBRrNiki0lnlKrzFM436KIB86NfRSI=; b=Kh6WuSZ6guyOvbgnXYjt88IoGuyCTjHWm40vxcnFZLVxhqrKMUeS3iI4R/VV5E34FD gi+Li/WSRAwMwE69+gb/6yLcOExmhzK0wAdmX12rGWzSHnGgtmep5brgHvL+cvVilKm4 eoe9D3FfOPNbrJAD4vCzTtEcLvz7VZi4S5J80= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:organization:references:x-face:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:user-agent :mime-version:content-type:x-gm-message-state; bh=bzfEycKQzPM1SfBRrNiki0lnlKrzFM436KIB86NfRSI=; b=blTBOteSVazF4IhlAy42f/aBE3CF3j+kM3CC2nHZ5AKLn7CgfAzjT3j19vbIL85VOW MtESpKEVA1hQQK3qpQ17HDQEDYO/Yn0JIud2m8RNs+f9ONq8go7sKoVdheJvDSsKr1CU sLT6b4N0pyzwqvtdbIuBxHC7/vVCA5h+mu81ksFtQRya36nep9ynoe7c4c/FyOEHxWEn HxSti0XWYG3PjdCLkLg/+ScmlpMDG2Af4GrQajdBA/xrwOT2yISifnn/3v2k/l6OKQzx QhpQiBiNpYCmxR2I7VGJpPBMhTULBgMKOEeCN0wo4mG+tdxznsiSaEBZPMZgdwL34X+Q 4IYw== X-Received: by 10.220.74.5 with SMTP id s5mr9728563vcj.5.1369424903977; Fri, 24 May 2013 12:48:23 -0700 (PDT) Original-Received: from heechee (pool-72-93-26-80.bstnma.east.verizon.net. [72.93.26.80]) by mx.google.com with ESMTPSA id s6sm4979209vdj.5.2013.05.24.12.48.21 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Fri, 24 May 2013 12:48:22 -0700 (PDT) X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: <834ndxwr7r.fsf@gnu.org> (Eli Zaretskii's message of "Mon, 20 May 2013 19:28:40 +0300") User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux) X-Gm-Message-State: ALoCoQlgUu6+YXS8VW14oxO1rKAqoU/53vNfV5k52V4M0YCau3NhD/w1Qz/4SKLQz4XDmOXjMctO X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:74533 Archived-At: On Mon, 20 May 2013 19:28:40 +0300 Eli Zaretskii wrote: >> From: Ted Zlatanov >> Cc: 14380@debbugs.gnu.org, joaotavora@gmail.com >> Date: Mon, 20 May 2013 09:56:27 -0400 >> >> On Sun, 19 May 2013 18:32:37 +0300 Eli Zaretskii wrote: >> >> >> My proposal would be to push out the next Emacs bundled with the latest >> >> GnuTLS DLLs, only support GnuTLS, provide users with instructions on >> >> updating them, and treat GnuTLS vulnerabilities as Emacs >> >> vulnerabilities. This is not ideal but IMO better than the current >> >> situation. >> EZ> I see no problems with the current situation. Installing precompiled EZ> GnuTLS from a zip file is a snap. >> >> That's only a small part of the risk and responsibility we're shifting >> onto the Emacs users. EZ> What risk? what responsibility? The risk is that their version of GnuTLS is out of date. The responsibility is to update it regularly. EZ> A user who installs software on her computer is already trusted with EZ> certain responsibilities, because a single mistyped command or a badly EZ> built package can easily shut down a perfectly healthy system for EZ> hours, if not days. Users install dozens of packages needed to create EZ> a workable environment for whatever they need to accomplish. Why is EZ> GnuTLS so special? Installing and keeping GnuTLS up to date should not be the responsibility of the user. To put it another way, if you want that responsibility, you're in a very small percentage of the Emacs user population. Most users don't want it and will neglect it badly. EZ> And mind you, in view of the latest sparring between GnuTLS developers EZ> and the FSF (which I have no idea how ended, except that the license EZ> was downgraded a bit and the official site moved), I'm not even sure EZ> the FSF will agree to distribute GnuTLS with Emacs, on any platform. EZ> Why should Emacs development enter this minefield? That's a reasonable question. I think we have to face it regardless of the outcome of this discussion because Emacs depends on GnuTLS for SSL and TLS communications right now. As far as I know GnuTLS status is back to "kosher." EZ> And for what? for solving a non-existing problem of installing a EZ> simple package? Installing is easy. Keeping it up to date isn't. Security updates are tedious and tedious things get overlooked. EZ> Don't misunderstand me: if someone decides to provide regular builds EZ> of GnuTLS ready to be downloaded and installed, I will applaud that EZ> person. Heck, it will be one less duty for me, for starters, as far EZ> as the Windows binaries are concerned. But please don't represent EZ> this as a must for Emacs, because it isn't. I see it as a responsibility we're avoiding. But if we had these regular builds, how would the user know about a critical update he really must install? See here http://bugs.python.org/issue17425 for an example of how the Python community dealt with an security issue in the OpenSSL libraries they ship for Windows. I guess we have to answer the question of whether that's a standard we as Emacs developers should aspire to, or not. Ted