From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jimmy Yuen Ho Wong Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Sun, 8 Jul 2018 19:54:16 +0100 Message-ID: References: <83o9g2uhju.fsf@gnu.org> <20180705115826.73c1d95e@jabberwock.cb.piermont.com> <878t6lom8g.fsf@mouse.gnus.org> <87pnzxn4kw.fsf@mouse.gnus.org> <06fdac3c-a773-2c98-ade1-a1b7dd2d34ce@cs.ucla.edu> <87bmbhmx5l.fsf@mouse.gnus.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: blaine.gmane.org 1531075987 17207 195.159.176.226 (8 Jul 2018 18:53:07 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 8 Jul 2018 18:53:07 +0000 (UTC) Cc: Paul Eggert , Emacs-Devel devel To: Lars Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jul 08 20:53:03 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fcEnu-0004Mq-AF for ged-emacs-devel@m.gmane.org; Sun, 08 Jul 2018 20:53:02 +0200 Original-Received: from localhost ([::1]:37934 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fcEq1-0004LQ-FP for ged-emacs-devel@m.gmane.org; Sun, 08 Jul 2018 14:55:13 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:42399) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fcEpK-0004Ja-N4 for emacs-devel@gnu.org; Sun, 08 Jul 2018 14:54:31 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fcEpJ-0005pV-VO for emacs-devel@gnu.org; Sun, 08 Jul 2018 14:54:30 -0400 Original-Received: from mail-io0-x230.google.com ([2607:f8b0:4001:c06::230]:41418) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fcEpJ-0005pB-Pf for emacs-devel@gnu.org; Sun, 08 Jul 2018 14:54:29 -0400 Original-Received: by mail-io0-x230.google.com with SMTP id q9-v6so15153726ioj.8 for ; Sun, 08 Jul 2018 11:54:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NgCBceFxZf7zJpFR0D1VaqIE5c6VMzclF0xXm+MIzjU=; b=KndAAgx6hgV55UWtgHOYYviSynZE9Lt3hyhuAc1qTQKucjQn8JLYdcuVd0pife52eB /pmwfzqUi9qP4qsawwKx9bONOCn43Hmv97AR+q7M2+h1H/JImOE0Cr5nxprQCej+MfPQ Mboa12DLeMkG0bLQPRou1xTJHmW/BTUUOtquAq/8nOxYVsgHB9w/SffByFf+j9Na12tS xl7Huf8xynrHMgv14ny72uA5zFzRJ74Xb2ElFgHch7eA46eUhDKRkgDx4HYYGBri0ctt IQYnCJp2khcgOtN6/8EUx6lbEc0U/pOMxG5bsxi5zbxpQFqcvoSRxZGvQk/mhFst8nnr 5Blg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NgCBceFxZf7zJpFR0D1VaqIE5c6VMzclF0xXm+MIzjU=; b=Njd+hb+Oy9cIhZczwOdI6jI3KFQfCM/LLV75MBl4viSsp/Nh0OCtqsXeZezWqV40vD 6zcWsYFl2+0ExMDSGQ/4ifgFSzjdDWkUKmMPR44tNo1erJ8au57ugDOmtChaJ15boXYY XjNVfZKkAT7zwgwOFrToSC82U6xC559+M/6EcKVlx9jok8MrTChHxyshOenRoK2B91Mh YfAL9chmaQJGV4FyTZb9u7pcZKPIY4N8vqitrdw0V1VIsrE7ZNtS17fskEo97mpoU2dQ +mpiYb9fwW6ItvISZ4Uv3syYVNX+aIC01hALUbF7uy3Shp+mpbEpdJ7XoklAzdJ/lIpb shBQ== X-Gm-Message-State: APt69E0n/qxqcWvu8BF49IK8NWitp7ooeB86noEtEw7G4wHk0jpAsH3R EiR45K2YZHmAW0NjkkD1sbjE/DPjEvvp3IUPekI= X-Google-Smtp-Source: AAOMgpddEd+305vLR8xYC3pTqo/eqYp2z+kUswi3Ck+z7gwBTOVRBWlHtSAkwymynQMLhRPoXLGgSxkfPVio3Xy13IY= X-Received: by 2002:a6b:e008:: with SMTP id z8-v6mr14630963iog.296.1531076068959; Sun, 08 Jul 2018 11:54:28 -0700 (PDT) In-Reply-To: <87bmbhmx5l.fsf@mouse.gnus.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4001:c06::230 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:227129 Archived-At: > > Some people want these checks on the TLS level, and that's why those > checks exist. It's perfectly reasonable for a user with a specific need > (for instance, to talk to a particularly ornery old private SSL 0.9 > server) to use the gnutls functions and variables directly when > implementing their solution. > It's not about what they want, but about what to give them so they can accomplish what they want to do without getting confused by the contradictary docs, and reading the source code. The pretense of NSM taking care of all network security matters does not match the reality. And from the sense I get, there's no intention to turn that ideal into reality either. Nobody is talking about taking away functionality here. You can remove/replace/rename/change things and still provide equivalent functionality. > That's why these things are layered. gnutls is a low-level library that > allows tweaking certain things about the connections it provides. > > The NSM is a high-level user facing library. Merging the two doesn't > seem to make much sense. > > Both here and in other places in this thread you seem to fixate on the > particular use cases you're interested in to the extent that you say > that other use cases are wrong, somehow. People have different needs > and different approaches, and Emacs should empower them to get their > work done, and not pressure them into doing it the way we think they > should do it. > We are talking about what should be the defaults here, as I've said in that giant email a couple of days ago, you can have both reasonable OTTB settings and freedom. If you haven't read it, I urge you to. How about this, I'll be satisfied if we append :group 'nsm on the gnutls defcustoms, so they show up on both the gnutls customize group **and** nsm, and document in the docstrings the effects to NSM checks if you mess with these GnuTLS settings? This doesn't sound too drastic and saves users from having to dig around 2 different places or resolve to trial and error to figure out there interactions.