From: Jean Louis <bugs@gnu.support>
To: emacs-devel@gnu.org
Subject: Re: Enforcing TLS for GNU ELPA
Date: Tue, 20 Oct 2020 14:38:02 +0300 [thread overview]
Message-ID: <20201020112017.GA3222@t400> (raw)
In-Reply-To: <20201020100701.GF1842@odonien.localdomain>
* Vasilij Schneidermann <mail@vasilij.de> [2020-10-20 13:07]:
> > > - There's still Windows users who do not have an installation with the
> > > gnutls libraries, despite the strong suggestion to download it for the
> > > full experience.
> >
> > I would say, sorry, there is no access to Emacs supported packages. If
> > they want without signing, they can find out configuration option.
> >
> > > - Emacs versions below 26.1 are affected by a HTTPS proxy bug [1] that
> > > makes life in corporate environments hard.
> >
> > I would say sorry for that, and would push security.
>
> What you propose is different: Adjust the default value of
> `package-archives` to always use https:// URLs, whereas I propose a more
> invasive change: Adjust the server-side behavior to not allow any kind
> of opt-out.
That way the SSL security is not enforced from Emacs side, but from
various servers, there can be plethora of ELPArchives online. Then
users depend on each single server.
> > Administrator in corporate environment can provide all allowed or by
> > corporation approved packages to each user, either by making general
> > settings on a single computer, or by entering defaults in
> > /etc/skel/.emacs.d/elpa/you-name-it
> >
> > Majority of GNU/Linux distributions already have Emacs packages inside
> > of distribution. Some of them have more than few hundred packages.
> >
> > In that sense, corporate environment is not a problem as BOFH can do
> > it for its users.
>
> That assumes a different kind of corporate environment where the focus
> is on provisioning users with software known to be safe. The issue I've
> pointed out is about communication via corporation-mandated proxy being
> impossible, something very different.
Those users can ask for permission and bring their packages on a
storage, as networked ELPA is for network, it assumes people have access.
ELPA can be on storage, it need not be on network, it can be on file
system.
prev parent reply other threads:[~2020-10-20 11:38 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-19 22:10 Enforcing TLS for GNU ELPA Vasilij Schneidermann
2020-10-19 22:20 ` Vasilij Schneidermann
2020-10-19 22:30 ` Stefan Monnier
2020-10-20 7:50 ` tomas
2020-10-20 9:05 ` Jean Louis
2020-10-20 10:07 ` Vasilij Schneidermann
2020-10-20 11:38 ` Jean Louis [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201020112017.GA3222@t400 \
--to=bugs@gnu.support \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).