From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Fri, 06 Jul 2018 11:49:45 +0300
Message-ID: <83601sn3yu.fsf@gnu.org>
References: <m236xe5vo2.fsf@mobilecat.lan>
	<eba313cf-104d-50dd-f1cd-4acb15864c0f@cs.ucla.edu>
	<CAM-tV--kcS34bGfMdDNziFp9S8LE5fjeT0V6n-QfM7Gnkde+rA@mail.gmail.com>
	<83po0iuhs7.fsf@gnu.org>
	<20180705113320.17e6b8ee@jabberwock.cb.piermont.com>
	<83po01mrvh.fsf@gnu.org> <87po00ahg9.fsf@gmail.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Trace: blaine.gmane.org 1530866899 27972 195.159.176.226 (6 Jul 2018 08:48:19 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 6 Jul 2018 08:48:19 +0000 (UTC)
Cc: emacs-devel@gnu.org
To: Robert Pluim <rpluim@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jul 06 10:48:15 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fbMPX-00077f-24
	for ged-emacs-devel@m.gmane.org; Fri, 06 Jul 2018 10:48:15 +0200
Original-Received: from localhost ([::1]:56420 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fbMRe-0002fP-Ak
	for ged-emacs-devel@m.gmane.org; Fri, 06 Jul 2018 04:50:26 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:60072)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1fbMR1-0002ez-4L
	for emacs-devel@gnu.org; Fri, 06 Jul 2018 04:49:49 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1fbMQx-0000Ff-L0
	for emacs-devel@gnu.org; Fri, 06 Jul 2018 04:49:47 -0400
Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:44152)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@gnu.org>)
	id 1fbMQx-0000FI-GT; Fri, 06 Jul 2018 04:49:43 -0400
Original-Received: from [176.228.60.248] (port=1942 helo=home-c4e4a596f7)
	by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
	(Exim 4.82) (envelope-from <eliz@gnu.org>)
	id 1fbMQw-0006F5-Oe; Fri, 06 Jul 2018 04:49:43 -0400
In-reply-to: <87po00ahg9.fsf@gmail.com> (message from Robert Pluim on Fri, 06
	Jul 2018 10:36:54 +0200)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:226989
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/226989>

> From: Robert Pluim <rpluim@gmail.com>
> Cc: "Perry E. Metzger" <perry@piermont.com>,  larsi@gnus.org,  eggert@cs.ucla.edu,  emacs-devel@gnu.org,  npostavs@gmail.com,  wyuenho@gmail.com
> Date: Fri, 06 Jul 2018 10:36:54 +0200
> 
> > Anyway, it seems you completely miss my point: I didn't say that we
> > shouldn't increase the number of bits, just that we shouldn't do that
> > on the release branch, unless we are willing to delay Emacs 26.2
> > significantly.
> 
> FWIW, Iʼve had gnutls-min-prime-bits set to 1024 since 2014-11-25, and
> have seen no adverse effects from it, so I donʼt think the risk is
> that great.

Thanks for the data point.

Unfortunately, our experience is that use patterns vary widely between
different Emacs users, and so problem-free experience of a single
individual, or even several people, is not enough to be sure there are
no significant issues.  And TLS secured connections are central to
many Emacs features.

Emacs 26.2 is supposed to have fewer significant bugs than Emacs 26.1,
so we must be careful if we make changes that could bring new
problems.