From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: GnuTLS for W32 Date: Thu, 05 Jan 2012 19:43:26 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <877h151x01.fsf@lifelogs.com> References: <87fwfvsgfv.fsf@wanadoo.es> <877h17scdo.fsf@wanadoo.es> <87hb0b77nr.fsf@lifelogs.com> <8739bvs27m.fsf@wanadoo.es> <87ty4b4329.fsf@lifelogs.com> <87hb0b3yoe.fsf@lifelogs.com> <6ED011D5-E185-44C6-BB31-A445A4E5F83A@gmail.com> <87wr976otx.fsf@lifelogs.com> <87ipkq6yy5.fsf@lifelogs.com> <87boqi6tzz.fsf@linux-hvfx.site> <87ehve3ul8.fsf@lifelogs.com> <87lipl22xm.fsf@lifelogs.com> <87boqh20ha.fsf@lifelogs.com> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Trace: dough.gmane.org 1325810634 29719 80.91.229.12 (6 Jan 2012 00:43:54 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Fri, 6 Jan 2012 00:43:54 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jan 06 01:43:48 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RixuO-0007S5-FI for ged-emacs-devel@m.gmane.org; Fri, 06 Jan 2012 01:43:48 +0100 Original-Received: from localhost ([::1]:53122 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RixuN-0004yz-NV for ged-emacs-devel@m.gmane.org; Thu, 05 Jan 2012 19:43:47 -0500 Original-Received: from eggs.gnu.org ([140.186.70.92]:42233) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RixuK-0004yh-MZ for emacs-devel@gnu.org; Thu, 05 Jan 2012 19:43:45 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RixuJ-0005nd-E9 for emacs-devel@gnu.org; Thu, 05 Jan 2012 19:43:44 -0500 Original-Received: from lo.gmane.org ([80.91.229.12]:38070) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RixuI-0005nK-Vz for emacs-devel@gnu.org; Thu, 05 Jan 2012 19:43:43 -0500 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1RixuH-0007R9-Qw for emacs-devel@gnu.org; Fri, 06 Jan 2012 01:43:41 +0100 Original-Received: from c-76-28-40-19.hsd1.vt.comcast.net ([76.28.40.19]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 06 Jan 2012 01:43:41 +0100 Original-Received: from tzz by c-76-28-40-19.hsd1.vt.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 06 Jan 2012 01:43:41 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 54 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: c-76-28-40-19.hsd1.vt.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.90 (gnu/linux) Cancel-Lock: sha1:9ubjHZ7fXZK/o6b4ehewIbwyE2A= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 80.91.229.12 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:147375 Archived-At: On Fri, 6 Jan 2012 00:38:41 +0100 Juanma Barranquero wrote: JB> 2012/1/6 Ted Zlatanov : >> I meant Emacs, the software, not just its binary form.  Forget the >> binaries; you and Lars are protesting a startup check that critical >> packages like GnuTLS are not out of date. JB> When you say that, you are not talking about gnutls.el, you are JB> talking about the GnuTLS binary, so no, I cannot forget the binaries. JB> That's the whole point of the discussion (at least, of the part of the JB> discussion I'm involved in). No, what I was proposing was a startup check that the "gnutls-critical" package is up to date, meaning what the user has installed is the latest on the GNU ELPA. This does not mean the latest GnuTLS is installed. The "gnutls-critical" package may do more afterwards, depending on the OS. On W32 it may trigger a patch eventually. At first it will just display a warning, as Chad suggested. On GNU/Linux I think it should leave the package management alone but still display a warning. >> I can't think of a better way to notify them that an Emacs component >> is out of date and possibly compromising their security. JB> The GnuTLS binary is *not* an "Emacs component". I think the C glue to GnuTLS is an Emacs component, deeply embedded. The point of an exploit is that it can cross the barrier between "not a component/not our problem" and "oh crap." On Fri, 6 Jan 2012 01:05:36 +0100 Juanma Barranquero wrote: JB> GnuTLS is not required to "adopt Emacs". I would say that, for a JB> Windows user, adding the image libraries would be more useful that JB> GnuTLS, because I bet most of them are not going to start using Emacs JB> to read e-mail or surf the web. I believe `open-network-stream' can use GnuTLS for HTTPS connections, which matters for a lot of cases, e.g. package.el. I agree about the image libraries, though, they should also be included in an installer. JB> But, as for "why not"... Why? Why us? Why cannot the people who is so JB> interested in doing it just set a side project to build an Emacs JB> installer, and be done with it? I need the "gnutls-critical" startup check or some other way to tell the user their GnuTLS version is at risk *by default*. This will be useful on Mac OS X as well in some cases, as I mentioned. That's all I need from emacs-devel (so Stefan or Chong's approval, I guess); the rest of the work will be on the GNU ELPA "gnutls-critical" package and a W32 installer, and does not need to involve anyone uninterested. Ted