> On Feb 4, 2018, at 9:51 AM, Eli Zaretskii wrote: > >> From: Philipp Stephani >> Date: Sun, 04 Feb 2018 16:48:04 +0000 >> Cc: Neil Okamoto , emacs-devel@gnu.org >> >> Isn't this an awfully old version of GnuTLS? >> >> It is the version shipped with the current LTS version of Ubuntu: https://packages.ubuntu.com/trusty/gnutls-bin >> >> >>> It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and >>> compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time >> and >>> complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other >> Emacs >>> package maintainers may be avoiding the complexity by not implementing CI for their projects. >>> >>> Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the >> server >>> configuration of elope.gnu.org please weigh in on this? >> >> I'm not such an expert on this, but in general, security assumes >> latest versions of related software and databases. >> >> Security requires *patched* versions, not *updated* versions. That's a big difference. Ubuntu LTS gets >> security patches until the end of its lifetime, but no bug fixes or new features. The security patches only fix >> vulnerabilities. > > To me, the fact that a newer version of GnuTLS doesn't show this > problem means that the issue was resolved by further development of > that package. Maybe Ubuntu needs to backport more patches? > > Anyway, we can continue discussing this here to Kingdom Come, but if > we want to hear from experts, this issue should be brought on the > GnuTLS mailing list, not here. Ok, I’m re-posting to gnutls-help.