From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: Re: Enforcing TLS for GNU ELPA Date: Tue, 20 Oct 2020 14:38:02 +0300 Message-ID: <20201020112017.GA3222@t400> References: <20201019221020.GD1842@odonien.localdomain> <20201020100701.GF1842@odonien.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="37061"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/1.10.1 (2018-07-13) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Oct 26 18:21:00 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kX6Az-0009Ru-D0 for ged-emacs-devel@m.gmane-mx.org; Mon, 26 Oct 2020 18:20:57 +0100 Original-Received: from localhost ([::1]:33358 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kX6Ay-0001e5-8r for ged-emacs-devel@m.gmane-mx.org; Mon, 26 Oct 2020 13:20:56 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48426) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kX65v-0004F1-43 for emacs-devel@gnu.org; Mon, 26 Oct 2020 13:15:46 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]:44489) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kX65t-0007xF-2X for emacs-devel@gnu.org; Mon, 26 Oct 2020 13:15:42 -0400 Original-Received: from localhost ([::ffff:197.157.0.60]) (AUTH: PLAIN securesender, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 000000000001213D.000000005F970439.000006A4; Mon, 26 Oct 2020 10:15:37 -0700 Content-Disposition: inline In-Reply-To: <20201020100701.GF1842@odonien.localdomain> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/26 11:47:59 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: 30 X-Spam_score: 3.0 X-Spam_bar: +++ X-Spam_report: (3.0 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_96_XX=3.405, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:258461 Archived-At: * Vasilij Schneidermann [2020-10-20 13:07]: > > > - There's still Windows users who do not have an installation with the > > > gnutls libraries, despite the strong suggestion to download it for the > > > full experience. > > > > I would say, sorry, there is no access to Emacs supported packages. If > > they want without signing, they can find out configuration option. > > > > > - Emacs versions below 26.1 are affected by a HTTPS proxy bug [1] that > > > makes life in corporate environments hard. > > > > I would say sorry for that, and would push security. > > What you propose is different: Adjust the default value of > `package-archives` to always use https:// URLs, whereas I propose a more > invasive change: Adjust the server-side behavior to not allow any kind > of opt-out. That way the SSL security is not enforced from Emacs side, but from various servers, there can be plethora of ELPArchives online. Then users depend on each single server. > > Administrator in corporate environment can provide all allowed or by > > corporation approved packages to each user, either by making general > > settings on a single computer, or by entering defaults in > > /etc/skel/.emacs.d/elpa/you-name-it > > > > Majority of GNU/Linux distributions already have Emacs packages inside > > of distribution. Some of them have more than few hundred packages. > > > > In that sense, corporate environment is not a problem as BOFH can do > > it for its users. > > That assumes a different kind of corporate environment where the focus > is on provisioning users with software known to be safe. The issue I've > pointed out is about communication via corporation-mandated proxy being > impossible, something very different. Those users can ask for permission and bring their packages on a storage, as networked ELPA is for network, it assumes people have access. ELPA can be on storage, it need not be on network, it can be on file system.