From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Vasilij Schneidermann Newsgroups: gmane.emacs.devel Subject: Re: Enforcing TLS for GNU ELPA Date: Tue, 20 Oct 2020 12:07:01 +0200 Message-ID: <20201020100701.GF1842@odonien.localdomain> References: <20201019221020.GD1842@odonien.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="s5/bjXLgkIwAv6Hi" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="11313"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: Jean Louis Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Oct 20 12:08:14 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kUoYw-0002s9-ID for ged-emacs-devel@m.gmane-mx.org; Tue, 20 Oct 2020 12:08:14 +0200 Original-Received: from localhost ([::1]:34370 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kUoYv-0006Sr-Ji for ged-emacs-devel@m.gmane-mx.org; Tue, 20 Oct 2020 06:08:13 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:38442) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kUoY0-0004yF-Ku for emacs-devel@gnu.org; Tue, 20 Oct 2020 06:07:16 -0400 Original-Received: from mout-p-102.mailbox.org ([2001:67c:2050::465:102]:52478) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1kUoXx-0007lK-4z for emacs-devel@gnu.org; Tue, 20 Oct 2020 06:07:15 -0400 Original-Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4CFq6d6XHZzQk03; Tue, 20 Oct 2020 12:07:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Original-Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id Rjz-tb1eQZji; Tue, 20 Oct 2020 12:07:02 +0200 (CEST) Mail-Followup-To: Jean Louis , emacs-devel@gnu.org Content-Disposition: inline In-Reply-To: X-Rspamd-Score: -5.09 / 15.00 / 15.00 X-Rspamd-Queue-Id: D2928271 X-Rspamd-UID: a4d613 Received-SPF: pass client-ip=2001:67c:2050::465:102; envelope-from=mail@vasilij.de; helo=mout-p-102.mailbox.org X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:258177 Archived-At: --s5/bjXLgkIwAv6Hi Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > - There's still Windows users who do not have an installation with the > > gnutls libraries, despite the strong suggestion to download it for the > > full experience. >=20 > I would say, sorry, there is no access to Emacs supported packages. If > they want without signing, they can find out configuration option. >=20 > > - Emacs versions below 26.1 are affected by a HTTPS proxy bug [1] that > > makes life in corporate environments hard. >=20 > I would say sorry for that, and would push security. What you propose is different: Adjust the default value of `package-archives` to always use https:// URLs, whereas I propose a more invasive change: Adjust the server-side behavior to not allow any kind of opt-out. > Administrator in corporate environment can provide all allowed or by > corporation approved packages to each user, either by making general > settings on a single computer, or by entering defaults in > /etc/skel/.emacs.d/elpa/you-name-it >=20 > Majority of GNU/Linux distributions already have Emacs packages inside > of distribution. Some of them have more than few hundred packages. >=20 > In that sense, corporate environment is not a problem as BOFH can do > it for its users. That assumes a different kind of corporate environment where the focus is on provisioning users with software known to be safe. The issue I've pointed out is about communication via corporation-mandated proxy being impossible, something very different. > There is reason of security, it could be announced in new Emacs > version. Provided it is done. Yes, an announcement would be required in any case. --s5/bjXLgkIwAv6Hi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE0dAcySl3bqM8O17WFmfJg6zCifoFAl+OtrwACgkQFmfJg6zC ifoQCQgAuknb2gBCCkGaTnWat81vX5wuJlkybc+AnjweSRLitcwJ21v0AmTpC/ad 5wQ31Ag5azcmdL9gDHN+ChXDVAEpyX5UhFqB/+jvmoTqdOeo0/Vu/321WTWKv4l1 R5wyQvTSMTCTpoZ6ILFud5XlQ3EDaZ3rAms6w/Tsql3Zac4nRBXtAhMfA3JzhRBJ ikOk8vnvDVoJMnZoA7t/a1dzphHml2fGK5FlFX6Cmif1ehvD4Wy18d89RruhAdpI XrrkT4dNOYQOX5q7klq8b6kNKHKI1EkeMMny0e1a2FJOuJibUIq3OBVSM5t6Ge8d hgJ3TsKes+dflUlHaF3JT6i+A9yhNg== =P0rW -----END PGP SIGNATURE----- --s5/bjXLgkIwAv6Hi--