Replace starttls.el with GNUTLS based version?

Replace starttls.el with GNUTLS based version?

[Simon Josefsson]

How many uses STARTTLS?  For SMTP or IMAP?  The external program
'starttls' isn't widely available (e.g., not packaged by Debian) and
it uses OpenSSL, so I would like to replace the current starttls.el
with a (partially) backwards compatible version that uses GNUTLS.  It
is currently installed in Gnus CVS contrib/starttls.el, and I have
been using it for a while.

The only problem I perceive is that if anyone is using client X.509
certificates, they will have to move from `starttls-extra-args' to
`starttls-extra-argument'.  (That is the backwards incompatible part.)
Because there appear to be a bug in the "starttls" application that
make client authentication useless because the verification result is
ignored, I suspect not many uses X.509 client certificates with
STARTTLS, or at least not anyone who cares enough about security to
audit the tools they use.  So nobody, even users that have configured
client certificates, would lose security by changing to anonymous TLS
with gnutls-cli.  However, they can increase security by setting the
new s-e-a variable.

So, does anyone have an opinion for or against moving
gnus/contrib/starttls.el into gnus/lisp/starttls.el and
emacs/lisp/gnus/starttls.el?  In Emacs, lisp/gnus/imap.el have to be
modified as well (it currently use hard coded filenames, and assumes
things about how the old starttls.el was implemented), but
lisp/mail/smtpmail.el work with STARTTLS unmodified.

To test this in Gnus, simply copy contrib/starttls.el over
lisp/starttls.el and rebuild.

Re: Replace starttls.el with GNUTLS based version?

[Richard Stallman]

    So, does anyone have an opinion for or against moving
    gnus/contrib/starttls.el into gnus/lisp/starttls.el and
    emacs/lisp/gnus/starttls.el?

Do we have legal papers for it?

Re: Replace starttls.el with GNUTLS based version?

[Simon Josefsson]

Richard Stallman <rms@gnu.org> writes:

>     So, does anyone have an opinion for or against moving
>     gnus/contrib/starttls.el into gnus/lisp/starttls.el and
>     emacs/lisp/gnus/starttls.el?
>
> Do we have legal papers for it?

Yes, I wrote it, and believe it is covered by my Gnus and Emacs
assignments.  It seems like some people find GNUTLS harder to compile
than starttls, so the solution might be to merge the old and the new
version, so it can use either starttls or gnutls-cli.

Re: Replace starttls.el with GNUTLS based version?

[Stefan Monnier]

> assignments.  It seems like some people find GNUTLS harder to compile
> than starttls,

And others already have starttls and might get annoyed if they suddenly
have to cmpile/install gnutls just because we switched code.
That'd be OK if starttls is non-free, but I believe this is not the case.

> so the solution might be to merge the old and the new
> version, so it can use either starttls or gnutls-cli.

I think that's the best solution.


        Stefan