From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel Subject: Re: TLS certificate on elpa.gnu.org Date: Sun, 04 Feb 2018 19:51:14 +0200 Message-ID: <834lmwabjh.fsf@gnu.org> References: <314F38A2-9B19-46C2-809A-FAFB5B5EC822@gmail.com> <83efm0afbq.fsf@gnu.org> Reply-To: Eli Zaretskii NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: blaine.gmane.org 1517766647 14941 195.159.176.226 (4 Feb 2018 17:50:47 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 4 Feb 2018 17:50:47 +0000 (UTC) Cc: emacs-devel@gnu.org, neil.okamoto@gmail.com To: Philipp Stephani Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Feb 04 18:50:42 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eiOQc-0001eQ-UE for ged-emacs-devel@m.gmane.org; Sun, 04 Feb 2018 18:50:11 +0100 Original-Received: from localhost ([::1]:48375 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eiOSe-0003nD-7v for ged-emacs-devel@m.gmane.org; Sun, 04 Feb 2018 12:52:16 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59366) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eiORt-0003l0-K2 for emacs-devel@gnu.org; Sun, 04 Feb 2018 12:51:30 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eiORp-0008J6-NT for emacs-devel@gnu.org; Sun, 04 Feb 2018 12:51:29 -0500 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60029) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eiORp-0008Iz-Ip; Sun, 04 Feb 2018 12:51:25 -0500 Original-Received: from [176.228.60.248] (port=3016 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1eiORo-00074m-Vg; Sun, 04 Feb 2018 12:51:25 -0500 In-reply-to: (message from Philipp Stephani on Sun, 04 Feb 2018 16:48:04 +0000) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:222513 Archived-At: > From: Philipp Stephani > Date: Sun, 04 Feb 2018 16:48:04 +0000 > Cc: Neil Okamoto , emacs-devel@gnu.org > > Isn't this an awfully old version of GnuTLS? > > It is the version shipped with the current LTS version of Ubuntu: https://packages.ubuntu.com/trusty/gnutls-bin > > > > It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and > > compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time > and > > complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other > Emacs > > package maintainers may be avoiding the complexity by not implementing CI for their projects. > > > > Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the > server > > configuration of elope.gnu.org please weigh in on this? > > I'm not such an expert on this, but in general, security assumes > latest versions of related software and databases. > > Security requires *patched* versions, not *updated* versions. That's a big difference. Ubuntu LTS gets > security patches until the end of its lifetime, but no bug fixes or new features. The security patches only fix > vulnerabilities. To me, the fact that a newer version of GnuTLS doesn't show this problem means that the issue was resolved by further development of that package. Maybe Ubuntu needs to backport more patches? Anyway, we can continue discussing this here to Kingdom Come, but if we want to hear from experts, this issue should be brought on the GnuTLS mailing list, not here.