From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Vasilij Schneidermann <mail@vasilij.de>
Newsgroups: gmane.emacs.devel
Subject: Re: Getting SSL test A+ grade on elpa.gnu.org
Date: Wed, 25 Nov 2020 18:38:12 +0100
Message-ID: <20201125173812.GD1558@odonien.localdomain>
References: <CAKJFkp3sgpGpNv1aEKBHMHgQxQbFVQebWiaFu2D258HRemWr4g@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="eheScQNz3K90DVRs"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="34612"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: emacs-devel@gnu.org
To: =?utf-8?B?6rmA66+87Jqw?= <kmwyard@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Nov 25 18:39:08 2020
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1khyl1-0008tU-Tx
	for ged-emacs-devel@m.gmane-mx.org; Wed, 25 Nov 2020 18:39:07 +0100
Original-Received: from localhost ([::1]:48844 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1khyl0-0000sC-Vk
	for ged-emacs-devel@m.gmane-mx.org; Wed, 25 Nov 2020 12:39:06 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:49906)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mail@vasilij.de>) id 1khykJ-0000OW-KA
 for emacs-devel@gnu.org; Wed, 25 Nov 2020 12:38:23 -0500
Original-Received: from mout-p-102.mailbox.org ([2001:67c:2050::465:102]:57934)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <mail@vasilij.de>) id 1khykH-0002ut-0Z
 for emacs-devel@gnu.org; Wed, 25 Nov 2020 12:38:22 -0500
Original-Received: from smtp2.mailbox.org (smtp2.mailbox.org
 [IPv6:2001:67c:2050:105:465:1:2:0])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4Ch7Qc3Z4DzQlF5;
 Wed, 25 Nov 2020 18:38:16 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Original-Received: from smtp2.mailbox.org ([80.241.60.241])
 by gerste.heinlein-support.de (gerste.heinlein-support.de [91.198.250.173])
 (amavisd-new, port 10030)
 with ESMTP id B034jDr9VWlA; Wed, 25 Nov 2020 18:38:13 +0100 (CET)
Mail-Followup-To: =?utf-8?B?6rmA66+87Jqw?= <kmwyard@gmail.com>,
 emacs-devel@gnu.org
Content-Disposition: inline
In-Reply-To: <CAKJFkp3sgpGpNv1aEKBHMHgQxQbFVQebWiaFu2D258HRemWr4g@mail.gmail.com>
X-Rspamd-Score: -5.82 / 15.00 / 15.00
X-Rspamd-Queue-Id: 6A592271
X-Rspamd-UID: 85006c
Received-SPF: pass client-ip=2001:67c:2050::465:102;
 envelope-from=mail@vasilij.de; helo=mout-p-102.mailbox.org
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:259794
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/259794>


--eheScQNz3K90DVRs
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

> It could have a bad effect on security and privacy for emacs users. Would
> you apply only TLS 1.3 on elpa.gnu.org?

ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting
TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to
successfully establish a connection to GNU ELPA?

Another thing to watch out for is the cipher suites. To reach a good
rating several of them need to be disabled and extensive testing is
required to ensure that we don't exclude users from fetching packages
for no apparent reason.

Something else I'm curious about, what exactly blocks us from forcing a
HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a
widely used Emacs version or are there others?

Vasilij

--eheScQNz3K90DVRs
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEE0dAcySl3bqM8O17WFmfJg6zCifoFAl++lnsACgkQFmfJg6zC
ifq+/Af/YbwMpLqTZt9z/rdc7IVq/KkksichmDiBdpV/7YO4WysG50i55/WBEuO9
nZjR5eV4QrTt368mROLCeJEXVvQh5GtCOfo6n/d0OHPczRkyRrwduN7D98POuIfR
kM6Qzrw7QKaqAZPbF8cXR6q7MeFB2heLMxLOCqUhJFsttn5rBjzgpxv2sADwKjhs
k3W8tblT39caxgwU3S8tC31V7TLhvk0OL+YcNwjdkAiSWe5N9yXAqd70uRzsIv9z
gMO3IHwXTzXSOkI3xfJ2m9NE6gicgovhGW/CDyXNs+PEYCDT2TfLPu1wR5InU30A
mMWinvX3/SEBmYanCBA41oQ9AdzdYg==
=roZF
-----END PGP SIGNATURE-----

--eheScQNz3K90DVRs--