From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Fri, 06 Jul 2018 09:01:32 +0300 Message-ID: <83fu0wnbr7.fsf@gnu.org> References: <20180705093346.071e6970@jabberwock.cb.piermont.com> NNTP-Posting-Host: blaine.gmane.org X-Trace: blaine.gmane.org 1530856844 14522 195.159.176.226 (6 Jul 2018 06:00:44 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 6 Jul 2018 06:00:44 +0000 (UTC) Cc: larsi@gnus.org, eggert@cs.ucla.edu, emacs-devel@gnu.org, wyuenho@gmail.com, perry@piermont.com To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jul 06 08:00:39 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fbJnK-0003bE-83 for ged-emacs-devel@m.gmane.org; Fri, 06 Jul 2018 08:00:38 +0200 Original-Received: from localhost ([::1]:55924 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbJpP-0003hU-Qk for ged-emacs-devel@m.gmane.org; Fri, 06 Jul 2018 02:02:47 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36246) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbJoP-0003gU-3w for emacs-devel@gnu.org; Fri, 06 Jul 2018 02:01:48 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fbJoJ-0006lG-KX for emacs-devel@gnu.org; Fri, 06 Jul 2018 02:01:45 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42639) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbJoJ-0006kV-G8; Fri, 06 Jul 2018 02:01:39 -0400 Original-Received: from [176.228.60.248] (port=3256 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fbJoB-0000Hd-Fd; Fri, 06 Jul 2018 02:01:31 -0400 In-reply-to: (message from Richard Stallman on Thu, 05 Jul 2018 18:44:14 -0400) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:226984 Archived-At: > From: Richard Stallman > Date: Thu, 05 Jul 2018 18:44:14 -0400 > Cc: larsi@gnus.org, eggert@cs.ucla.edu, wyuenho@gmail.com, emacs-devel@gnu.org > > The idea is that we make sure users see a chance to choose between the > alternatives (convenience and safety) early enough that they won't be > unsafe. The choice should come with an explanation of each option, > first stating what situations it is recommended for, then what it does. The early enough part is already in place, I think: the NSM pops up the first time some security related issue is discovered, and asks the user to decide what to do about that. The user then is given the option of making the decision permanent or only for this particular connection. The other part of your proposal is exactly what I think we should do, and that was the motive behind all my comments to the recent related bug reports and contributions: we should have the issues and their remedies explained and documented, so that users could make informed decisions when those matter.