From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ioannis Kappas Newsgroups: gmane.emacs.bugs Subject: bug#51038: 27.2; ELPA certificate not trusted on Windows Date: Sun, 24 Oct 2021 21:30:09 +0100 Message-ID: References: <83mtmy2vri.fsf@gnu.org> <83h7d62r5u.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="29190"; mail-complaints-to="usenet@ciao.gmane.io" Cc: john@rootabega.net, 51038@debbugs.gnu.org, Lars Ingebrigtsen , emacs-hoffman@snkmail.com To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Oct 24 22:35:06 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mekCw-0007Pq-0K for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 24 Oct 2021 22:35:06 +0200 Original-Received: from localhost ([::1]:36844 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mekCu-0001xK-Qa for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 24 Oct 2021 16:35:04 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:52524) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mek90-0006nS-Ta for bug-gnu-emacs@gnu.org; Sun, 24 Oct 2021 16:31:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:57754) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mek90-0005gW-E9 for bug-gnu-emacs@gnu.org; Sun, 24 Oct 2021 16:31:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mek90-0003pT-Az for bug-gnu-emacs@gnu.org; Sun, 24 Oct 2021 16:31:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Ioannis Kappas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 24 Oct 2021 20:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51038 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: notabug Original-Received: via spool by 51038-submit@debbugs.gnu.org id=B51038.163510743014671 (code B ref 51038); Sun, 24 Oct 2021 20:31:02 +0000 Original-Received: (at 51038) by debbugs.gnu.org; 24 Oct 2021 20:30:30 +0000 Original-Received: from localhost ([127.0.0.1]:41067 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mek8O-0003oT-Tu for submit@debbugs.gnu.org; Sun, 24 Oct 2021 16:30:30 -0400 Original-Received: from mail-oo1-f53.google.com ([209.85.161.53]:42611) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mek8M-0003oC-Se for 51038@debbugs.gnu.org; Sun, 24 Oct 2021 16:30:23 -0400 Original-Received: by mail-oo1-f53.google.com with SMTP id a17-20020a4a6851000000b002b59bfbf669so2953725oof.9 for <51038@debbugs.gnu.org>; Sun, 24 Oct 2021 13:30:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UQxgUoMi1DR682WZgL4qIm98OKWEn2jekdMLQp6MyQw=; b=HZLKs13UKyxyu3gwaCRCQ8HluxR4e1i/oyhujI69NVkj128M4OYAlSmM1Y7lbsk0WI aFY//3SCPgN+fEqhZLc5H1vqhue+TvQ/RIh//d1RDB3dTNiTopXhZTWbMtHCJsOUhGHB /M8DT1JdM5R3+9DtJRr+7XSkVRceLlACKRODEiqnq8e6EAJ9ce40eNyxXYiAore/n2bO zHKPahxLWCHoEkWWgkACysL1VCtDpwL6dUUg3bIVkA4l4alb7oNTT/4EEFfPLBmAL+QA qx7L0hcthnWGyV6YUizwpHwbWX6e+6XlyWblwHJ57AEfzJBqUtujvpCqA5eAnFzYfZkc 2qnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UQxgUoMi1DR682WZgL4qIm98OKWEn2jekdMLQp6MyQw=; b=QOn3azgPV1wvHVObjO4f9sP8eEskMRtT3vyN2jms9PEN5bXZhCR9UImvyEtT2fSL/X HibmIdvPcw3X/W2EyknzjM9eTFUyLWfTpC0Yh9w4+4XDydr2Tr4yoXePWAar8cYg00VW JJBzn16Eixvd+bW3MPXYulD9qhdKhydIYMcgYFmoFMDniAvg7t9ASSk5AbLXoVvn+mKt 46W2ZAqSPgHxnRjGmysVCvVuVWSdovOU6aYln1ZGIesPh19xNIhZ5r3EAB+ypx7tUsi2 rMX4/wwXL+Yt8JzDdDrpzNAqEusItpPTD+dZA74M01zoUwskYFVluE7lDeDYA+HB7fTa kJdA== X-Gm-Message-State: AOAM532ygUJANvS4h7cIufPsI7BhrgI9tabP7N844hqBqnVD5w4TpNMI O/bC9JNiAkljMbXsHMbs8h6vbYmyepmu9v1ub9s= X-Google-Smtp-Source: ABdhPJxngs3JmvGBQzfcchOhuhY1Pn7eN7WxlESEGiC9HTeDuyNFneFNIkVEaOvFHhh7PMCtTguArQvjOESF1rW7Xzw= X-Received: by 2002:a4a:1147:: with SMTP id 68mr9125244ooc.5.1635107417212; Sun, 24 Oct 2021 13:30:17 -0700 (PDT) In-Reply-To: <83h7d62r5u.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:218203 Archived-At: On Sun, Oct 24, 2021 at 7:50 PM Eli Zaretskii wrote: > > From: Ioannis Kappas > > Date: Sun, 24 Oct 2021 19:21:00 +0100 > > Cc: john@rootabega.net, 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, > > Lars Ingebrigtsen > > > > (apologies for being pedantic here, just want tom make sure that any > > difference in opinion become clear) > > I wasn't aware that we are having differences of opinions here. Great, I think we came to an understanding 1. Issue is not with Emacs. 2. Issue with the latest official precompiled binaries of Gnu Emacs for MS-Windows, caused by the bundled GnuTLS library version. > > before going into the details of a workaround, my argument is that > > this is an issue with the precompiled binaries of the latest official > > Gnu Emacs release at the official ftp site. If a user or process > > installs today these binaries on their system, Emacs will not work to > > its full potential. Furthermore, the user will not be aware why the > > connection to the elpa archive fails nor of a potential work around. I > > consider this to be a major issue with the precompiled binaries > > prepared by the Gnu Emacs projects, that they don't work out of the > > box and likely to leave the user/system in a perplexed/volnurable > > state. > > That is true, but users who download precompiled binaries are at the > mercy of whoever prepared the package from the get-go, so this danger > is not new, it is inherent to this way of installing Emacs. People > who want to be completely in control should compile Emacs by > themselves. We have instructions for that in nt/INSTALL.W64. May I disagree with this that there is nothing to suggest that in the the official download page @ https://www.gnu.org/software/emacs/download.html, under Nonfree systems/Windows: """ Windows GNU Emacs for Windows can be downloaded from a nearby GNU mirror; or the main GNU FTP server. Unzip the zip file preserving the directory structure, and run bin\runemacs.exe. Alternatively, create a desktop shortcut to bin\runemacs.exe, and start Emacs by double-clicking on that shortcut's icon. The Windows binaries are signed by Phillip Lord 8E64 B119 FE4B AC58 C767 D5EC E095 C1A6 3FB1 EAD2. """ If this is the official position, IMHO it should be clearly stated somewhere obvious (unless I missed it). Otherwise people old or new to emacs think these precompiled binaries are officially supported by the project maintainers and should work out of the box. > > May I point out that libgnu-2.6.12 ships in emacs-27.2-x86_64.zip > > under bin/libgnutls-30.dll, and thus the responsibility to the > > maintainer of the package to fix any shortfalls IMHO? > > We don't have a maintainer at this time. This was (and is) a > volunteer project, and the volunteer who produced that bundle stepped > down. If you'd like to replace him, I'm sure this will be very > welcome. Or maybe someone else will soon. I could possibly assist if needs be. I assume this is based on trusting the person creating the package rather than having an automated build process in place. > > Currently the > > official instructions to install the latest Gnu Emacs release from the > > precompiled binaries from the official ftp site, install a version of > > Emacs which is impaired, and wont work to its full potential out of > > the box for any user. We need to either fix this so it works out of > > the box, provide official instructions how to work around it, or > > provide an official note that this is broken. Letting users being > > unaware and thus vulnerable to the current behaviour IMHO is > > suboptimal. > > There's a problem with the "we" part here. There's also a problem > with providing instructions, because the fine details depend on what > is already installed on the end-user's system. It's hard to provide a > cookbook here. My experience with the precompiled binaries zip file is well self contained and does not depend on anything outside of it, other than the windows kernel. > > With regards to the suggested workaround > > It isn't a workaround, it's THE solution. OK, there is a slight difference of opinion here. The solution for me is to update the precompiled binaries with a recent GnuTLS version on the official download site. Having the user to install MSYS2 and locate the dll (or download the latest version from the GnuTLS CI) as to overwrite the a single dll in the official precompiled binary, sounds like a work around to me. > > 1. I've downloaded and unpacked > > http://ftp.gnu.org/gnu/emacs/windows/emacs-27/emacs-27.2-x86_64.zip to > > a local directory. > > 2. Looking for the GnuTLS precompiled version for windows, I landed on > > this page: https://www.gnutls.org/download.html > > 2.1 There is a latest w64 version on gitlab link at > > https://gitlab.com/gnutls/gnutls/builds/artifacts/3.7.2/download?job=MinGW64.DLLs > > that redirects to a 404. > > The correct place to update GnuTLS is from the MSYS2 project, which is > where all the optional DLLs in the binary bundle come from. The URL > is in nt/INSTALL.W64; start by installing pacman, and then fetch the > latest mingw64 libgnutls DLLs. (I myself don't use that, so > unfortunately I cannot give you more details, but perhaps someone else > here will.) Yeah, I've tested this to work too. I was trying to follow up what I thought was your suggestion earlier and whence the instructions above. > Alternatively, I believe you can tell the Emacs NSM, once, to trust > ELPA regardless of the certificate, and then it will work henceforth. > (This _is_ a workaround.) You do get a prompt when `packages' try to connect in the GUI, but in the batch mode (as in the Eldev case, where the error happens on a cloud server somewher in GitHub without the user input) you don't, though it should be possible to disable programmatically as a possible work around indeed. > In any case, this is not a bug in Emacs. Agreed, it is an issue with the latest official precompiled MS-Windows binaries.