From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: =?UTF-8?Q?Jo=C3=A3o_?= =?UTF-8?Q?T=C3=A1vora?= <joaotavora@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#14380: 24.3;
	`network-stream-open-tls' fails in some imap servers on w32
Date: Sun, 19 May 2013 12:45:12 +0100
Message-ID: <CALDnm50KHS7wOKUpQJQHb4V_PLfQs6VkjEsRmPgY=R5x0eEuUg__1160.97971699691$1368964009$gmane$org@mail.gmail.com>
References: <87k3mw79iv.fsf@lifelogs.com>
	<CALDnm51ZBQn_T0w43TfNiui+nfBcJL5z_4egAXmtwdHOW3qCXQ@mail.gmail.com>
	<87zjvr64lt.fsf_-_@lifelogs.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1368964004 2543 80.91.229.3 (19 May 2013 11:46:44 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 19 May 2013 11:46:44 +0000 (UTC)
Cc: 14380@debbugs.gnu.org, emacs-devel@gnu.org
To: Ted Zlatanov <tzz@lifelogs.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun May 19 13:46:42 2013
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Ue24Y-0001Ui-6G
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 19 May 2013 13:46:42 +0200
Original-Received: from localhost ([::1]:45996 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Ue24X-0002cp-RO
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 19 May 2013 07:46:41 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:39210)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Ue24T-0002ck-28
	for bug-gnu-emacs@gnu.org; Sun, 19 May 2013 07:46:39 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Ue24S-0003fX-3s
	for bug-gnu-emacs@gnu.org; Sun, 19 May 2013 07:46:37 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:34635)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Ue24S-0003fT-0V
	for bug-gnu-emacs@gnu.org; Sun, 19 May 2013 07:46:36 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1Ue24r-0007fE-P1; Sun, 19 May 2013 07:47:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: =?UTF-8?Q?Jo=C3=A3o_?= =?UTF-8?Q?T=C3=A1vora?=
	<joaotavora@gmail.com>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-CC: bug-gnu-emacs@gnu.org, bugs@gnus.org
Resent-Date: Sun, 19 May 2013 11:47:01 +0000
Resent-Message-ID: <handler.14380.B14380.136896397229372@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 14380
X-GNU-PR-Package: emacs,gnus
X-GNU-PR-Keywords: 
Original-Received: via spool by 14380-submit@debbugs.gnu.org id=B14380.136896397229372
	(code B ref 14380); Sun, 19 May 2013 11:47:01 +0000
Original-Received: (at 14380) by debbugs.gnu.org; 19 May 2013 11:46:12 +0000
Original-Received: from localhost ([127.0.0.1]:51225 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Ue241-0007da-0F
	for submit@debbugs.gnu.org; Sun, 19 May 2013 07:46:10 -0400
Original-Received: from mail-da0-f52.google.com ([209.85.210.52]:49542)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <joaotavora@gmail.com>) id 1Ue23x-0007d5-CH
	for 14380@debbugs.gnu.org; Sun, 19 May 2013 07:46:07 -0400
Original-Received: by mail-da0-f52.google.com with SMTP id o9so3314777dan.11
	for <14380@debbugs.gnu.org>; Sun, 19 May 2013 04:45:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; 
	h=x-received:mime-version:in-reply-to:references:from:date:message-id
	:subject:to:cc:content-type:content-transfer-encoding;
	bh=LsTKTSwdhGbq3G7MWDnas4tn1AyMwy+txOO3AeKEUBE=;
	b=dwZoNe1Ul8jQyScPqOVMZ0FEiFoIWJoabJsepr5sHVRcVdHNy8uLRb2b6f/icu9Eol
	2CWegUic3URTY6HmTidc5/mo9ONCXqu0PMRN84BNVfWjNza0P9tWQk6icZeS32ZXKTcH
	p3bhbg9krRy+G53okFzyU6O6hkHnKGmmokyIaPY0QuZ0TqK/RvI5e/68AW0/Gk1KYTwT
	Yu9GI30UEd0hDSzF0UCQ9DH00CZWLZ+YGl2NSP4fdTXNMiY+u6unk0Ge0UUwrRF6/5N4
	tzTpTyrTS2EKZphqBR37ab+5gb2S40unWem9Am7sNLt2onZ+L49MgIr/fa/qECjRqGe2
	7TPQ==
X-Received: by 10.68.189.8 with SMTP id ge8mr40906502pbc.199.1368963932287;
	Sun, 19 May 2013 04:45:32 -0700 (PDT)
Original-Received: by 10.68.219.137 with HTTP; Sun, 19 May 2013 04:45:12 -0700 (PDT)
In-Reply-To: <87zjvr64lt.fsf_-_@lifelogs.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:74400
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/74400>

On Sun, May 19, 2013 at 4:17 AM, Ted Zlatanov <tzz@lifelogs.com> wrote:
> GnuTLS W32 DLLs with the W32 Emacs builds.  That led to a long
> discussions about how that makes security our responsibility and how we

I see. Indeed, bundling security stuff with your app is increasing
its responsibility manifold.

> Wouldn't you rather get GnuTLS to work by default?  Otherwise we serve
> the use case "I have no secure transport, so let me use a hack by
> default."

I don't understand. What is the hack here? External binary for TLS?
But yes, GnuTLS by default is certainly better...

> service either.  Who will be responsible to it?  What happens when a
> security vulnerability hits the DLLs we distribute with Emacs?
>
> My proposal would be to push out the next Emacs bundled with the latest
> GnuTLS DLLs, only support GnuTLS, provide users with instructions on
> updating them, and treat GnuTLS vulnerabilities as Emacs
> vulnerabilities.  This is not ideal but IMO better than the current
> situation.

... but then you have all these headaches.

The fix I proposed aims for the status quo, that is: make external
TLS binary support slightly more robust. My test case is even smaller:

* W32
* cygwin carrying the responsibility burden
* vanilla emacs working with tls/imap/gnus.

Thanks for the time spent in analysing this,
--=20
Jo=E3o T=E1vora