From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Neil Okamoto Newsgroups: gmane.emacs.devel Subject: Re: TLS certificate on elpa.gnu.org Date: Sun, 4 Feb 2018 12:11:40 -0800 Message-ID: References: <314F38A2-9B19-46C2-809A-FAFB5B5EC822@gmail.com> <83efm0afbq.fsf@gnu.org> <834lmwabjh.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Content-Type: multipart/alternative; boundary="Apple-Mail=_3CE8CC99-0958-4D56-B01C-60B152BB3ADF" X-Trace: blaine.gmane.org 1517775023 14968 195.159.176.226 (4 Feb 2018 20:10:23 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 4 Feb 2018 20:10:23 +0000 (UTC) Cc: Philipp Stephani , emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Feb 04 21:10:19 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eiQc0-0002l6-R4 for ged-emacs-devel@m.gmane.org; Sun, 04 Feb 2018 21:10:05 +0100 Original-Received: from localhost ([::1]:34302 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eiQe0-0003zY-6P for ged-emacs-devel@m.gmane.org; Sun, 04 Feb 2018 15:12:08 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50765) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eiQdh-0003o8-Bk for emacs-devel@gnu.org; Sun, 04 Feb 2018 15:11:50 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eiQdg-0000Gp-07 for emacs-devel@gnu.org; Sun, 04 Feb 2018 15:11:49 -0500 Original-Received: from mail-it0-x22d.google.com ([2607:f8b0:4001:c0b::22d]:53211) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eiQdc-00009a-7J; Sun, 04 Feb 2018 15:11:44 -0500 Original-Received: by mail-it0-x22d.google.com with SMTP id u62so14340664ita.2; Sun, 04 Feb 2018 12:11:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=XsQWV5ETmTyF1EatFsWDKblXh+1Hgt73r1WpL9Ze2tY=; b=M1DSVJHMol8HyETLEnSHxH8Py9YI032ttPCfXJqy1pmz30v/OeCnvmMTM19uOsc3Si AlaKh6nm3DyAz3LpLNRU0uyMdWg5d0lOshBJkEe/mooo4wYH0eaDpTaEhvx+QL0Kxf6N jjPFcGqw/AQSyQGHX5qZz+LJYO7gxBT95TCvrCe8hcMot3Uvd88WDd5X7m/dy7B8Vd4H LwD/4cb9Ih9wa0DgJaQZFIXyytqWwQPPCM6RRE/MaN3ZzuBVGgMs+lZGnChlZ59Hkgp3 DfpT7eiKokQUjwBhKOaPydhCIJM1mxg2QKPoL2zgR+gl4eoa/Lu9WpCkhqDIMZPsp/44 4J3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=XsQWV5ETmTyF1EatFsWDKblXh+1Hgt73r1WpL9Ze2tY=; b=rUYcPrXCbr5MWsDia5Qy4bDi/d1gwjkzCW/tVcbTGp3tiJ3QpRGVNRrO0Q7gWvrZmr F+M1pR9p/fSulZM2lWgsVmbZCFLzm+QH6I8Fqa1cNFUrO3hfU/BIl74U/HYU9LUXnDZa AXJcouU+8AyjPhFu/cs9nUePX0jOMXceq8nXRRRcU3Kp/nGJ+7Mv+XkmMC+GbtP0JeLm b+zkvhVG0t+yMeF2Jfd6/SFjO646z969KemMkXWOqmU66PQ7k5/ut7Zn6RZAMBFgLTnc fUxvLXUvKIsFJqSSMqwZvPJOcOBJnEoG4ybR2YvCtMN/pbmBSukbwurJzMK7lYKVxSVi MmUA== X-Gm-Message-State: AKwxyteA1Ew3HDW99n3UqBdKrIlg06zNmU0Ca1ItsypWjBU976f91Sl6 nKzoxSR06ZWjQZ06OR0C02BCh0cD X-Google-Smtp-Source: AH8x224WV/0IgKaeAsW6tiE3KA56Ljjd26I266SVmekTDbSR+4jXXQCWjWEkNrK2sRtSwdQAftSaiQ== X-Received: by 10.36.204.139 with SMTP id x133mr11402089itf.75.1517775103256; Sun, 04 Feb 2018 12:11:43 -0800 (PST) Original-Received: from neils-mbp.attlocal.net (adsl-99-23-242-93.dsl.chi2ca.sbcglobal.net. [99.23.242.93]) by smtp.gmail.com with ESMTPSA id v190sm4160123itb.3.2018.02.04.12.11.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 04 Feb 2018 12:11:41 -0800 (PST) In-Reply-To: <834lmwabjh.fsf@gnu.org> X-Mailer: Apple Mail (2.3445.5.20) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4001:c0b::22d X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:222519 Archived-At: --Apple-Mail=_3CE8CC99-0958-4D56-B01C-60B152BB3ADF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Feb 4, 2018, at 9:51 AM, Eli Zaretskii wrote: >=20 >> From: Philipp Stephani >> Date: Sun, 04 Feb 2018 16:48:04 +0000 >> Cc: Neil Okamoto , emacs-devel@gnu.org >>=20 >> Isn't this an awfully old version of GnuTLS?=20 >>=20 >> It is the version shipped with the current LTS version of Ubuntu: = https://packages.ubuntu.com/trusty/gnutls-bin >>=20 >>=20 >>> It=E2=80=99s causing me to introduce workarounds, such as = downloading a newer gnutls source package and >>> compiling it locally in the Travis CI build. I would really prefer = not to do this. It adds unnecessary time >> and >>> complexity to the CI setup for some Emacs packages, and (conversely) = one can imagine other >> Emacs >>> package maintainers may be avoiding the complexity by not = implementing CI for their projects. >>>=20 >>> Can someone more knowledgable about the standards, the evolution of = gnutls since 2.12, and the >> server >>> configuration of elope.gnu.org please weigh in on this? >>=20 >> I'm not such an expert on this, but in general, security assumes >> latest versions of related software and databases. >>=20 >> Security requires *patched* versions, not *updated* versions. That's = a big difference. Ubuntu LTS gets >> security patches until the end of its lifetime, but no bug fixes or = new features. The security patches only fix >> vulnerabilities.=20 >=20 > To me, the fact that a newer version of GnuTLS doesn't show this > problem means that the issue was resolved by further development of > that package. Maybe Ubuntu needs to backport more patches? >=20 > Anyway, we can continue discussing this here to Kingdom Come, but if > we want to hear from experts, this issue should be brought on the > GnuTLS mailing list, not here. Ok, I=E2=80=99m re-posting to gnutls-help. --Apple-Mail=_3CE8CC99-0958-4D56-B01C-60B152BB3ADF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On Feb 4, 2018, at 9:51 AM, Eli Zaretskii <eliz@gnu.org> = wrote:

From: Philipp Stephani = <p.stephani2@gmail.com>
Date: Sun, 04 Feb = 2018 16:48:04 +0000
Cc: Neil Okamoto <neil.okamoto@gmail.com>, emacs-devel@gnu.org

Isn't this an awfully old version of = GnuTLS? 

It is the version shipped with the current LTS = version of Ubuntu: https://packages.ubuntu.com/trusty/gnutls-bin


It=E2=80=99s causing me to introduce workarounds, such as = downloading a newer gnutls source package and
compiling it = locally in the Travis CI build. I would really prefer not to do this. It = adds unnecessary time
and
complexity to the CI = setup for some Emacs packages, and (conversely) one can imagine other
Emacs
package maintainers may be avoiding the complexity by not = implementing CI for their projects.

Can = someone more knowledgable about the standards, the evolution of gnutls = since 2.12, and the
server
configuration of elope.gnu.org please weigh = in on this?

I'm not such an = expert on this, but in general, security assumes
latest = versions of related software and databases.

Security requires *patched* versions, not *updated* versions. = That's a big difference. Ubuntu LTS gets
security patches = until the end of its lifetime, but no bug fixes or new features. The = security patches only fix
vulnerabilities. 

To me, the fact that a newer version of = GnuTLS doesn't show this
problem means that the issue was = resolved by further development of
that package.  Maybe Ubuntu = needs to backport more patches?

Anyway, we can continue discussing this here to = Kingdom Come, but if
we want to hear from experts, = this issue should be brought on the
GnuTLS mailing list, not = here.

Ok, I=E2=80= =99m re-posting to gnutls-help.


= --Apple-Mail=_3CE8CC99-0958-4D56-B01C-60B152BB3ADF--