From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Paul Eggert <eggert@cs.ucla.edu>
Newsgroups: gmane.emacs.bugs
Subject: bug#22202: 24.5;
	SECURITY ISSUE -- Emacs Server vulnerable to random number generator
	attack on Windows systems
Date: Tue, 19 Jan 2016 09:38:23 -0800
Organization: UCLA Computer Science Department
Message-ID: <569E748F.6090800@cs.ucla.edu>
References: <569BF8F7.3090904@cs.ucla.edu> <83fuxuevs2.fsf@gnu.org>
	<569D5004.5080701@cs.ucla.edu> <83h9iad26y.fsf@gnu.org>
	<569DCAD4.30606@cs.ucla.edu> <83y4blbkrj.fsf@gnu.org>
	<m2oachpkmi.fsf@newartisans.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1453225161 32030 80.91.229.3 (19 Jan 2016 17:39:21 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 19 Jan 2016 17:39:21 +0000 (UTC)
Cc: rcopley@gmail.com, 22202@debbugs.gnu.org, deng@randomsample.de
To: John Wiegley <johnw@gnu.org>, Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jan 19 18:39:10 2016
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1aLaFJ-0004z7-75
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 19 Jan 2016 18:39:09 +0100
Original-Received: from localhost ([::1]:38523 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1aLaFI-0004mk-HW
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 19 Jan 2016 12:39:08 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:41762)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aLaFE-0004mf-W2
	for bug-gnu-emacs@gnu.org; Tue, 19 Jan 2016 12:39:05 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aLaFC-0000nK-8g
	for bug-gnu-emacs@gnu.org; Tue, 19 Jan 2016 12:39:04 -0500
Original-Received: from debbugs.gnu.org ([208.118.235.43]:37508)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aLaFC-0000nD-56
	for bug-gnu-emacs@gnu.org; Tue, 19 Jan 2016 12:39:02 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aLaFB-0005Xu-SN
	for bug-gnu-emacs@gnu.org; Tue, 19 Jan 2016 12:39:01 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Paul Eggert <eggert@cs.ucla.edu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 19 Jan 2016 17:39:01 +0000
Resent-Message-ID: <handler.22202.B22202.145322511321282@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 22202
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 22202-submit@debbugs.gnu.org id=B22202.145322511321282
	(code B ref 22202); Tue, 19 Jan 2016 17:39:01 +0000
Original-Received: (at 22202) by debbugs.gnu.org; 19 Jan 2016 17:38:33 +0000
Original-Received: from localhost ([127.0.0.1]:53961 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1aLaEi-0005XC-SU
	for submit@debbugs.gnu.org; Tue, 19 Jan 2016 12:38:33 -0500
Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:49685)
	by debbugs.gnu.org with esmtp (Exim 4.84)
	(envelope-from <eggert@cs.ucla.edu>) id 1aLaEh-0005Ww-0B
	for 22202@debbugs.gnu.org; Tue, 19 Jan 2016 12:38:31 -0500
Original-Received: from localhost (localhost [127.0.0.1])
	by zimbra.cs.ucla.edu (Postfix) with ESMTP id 5460F160D05;
	Tue, 19 Jan 2016 09:38:24 -0800 (PST)
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
	by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id tJE2GHAKsWQj; Tue, 19 Jan 2016 09:38:23 -0800 (PST)
Original-Received: from localhost (localhost [127.0.0.1])
	by zimbra.cs.ucla.edu (Postfix) with ESMTP id 51A26160D77;
	Tue, 19 Jan 2016 09:38:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1])
	by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id DY4aOOJ4MU3g; Tue, 19 Jan 2016 09:38:23 -0800 (PST)
Original-Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200])
	by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 3795E160D05;
	Tue, 19 Jan 2016 09:38:23 -0800 (PST)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.5.0
In-Reply-To: <m2oachpkmi.fsf@newartisans.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:111753
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/111753>

On 01/19/2016 09:03 AM, John Wiegley wrote:
> What critical feature is GnuTLS buying for us that would make this worthwhile,
> Paul?

There is nothing "critical" here. This is just a minor issue, one that 
has been blown all out of proportion. Using GnuTLS when available 
lessens use of system resources and simplifies auditing, but Emacs could 
get by without this minor bugfix-improvement.

> why do we need a dependency on GnuTLS

There isn't a dependency on GnuTLS in the usual sense: that is, if 
GnuTLS is absent, the code still works as before. The only dependency is 
that we trust the GnuTLS library to work when it is present, and to 
report an error if one occurs. This is a reasonable assumption, both 
here and elsewhere in Emacs.