Re: Release-critical bugs

[Ted Zlatanov <tzz@lifelogs.com>]

On Wed, 17 Sep 2014 15:40:39 -0400 Glenn Morris <rgm@gnu.org> wrote: 

GM> David Engster wrote:

>> Especially the GnuTLS stuff goes way over my head, I'm afraid.

GM> And most people's I think. That's why these are long-term issues that
GM> don't see much progress. It seems far too late to make any changes
GM> related to GnuTLS for this release anyway. But nevertheless they remain
GM> important issues (which is why using severity in this way is not great).

Let me try to summarize (adding CCs to the parties involved that may not
read emacs-devel):

  http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16978 [i|*| ] [emacs] 24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities 
  Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>; Date: Mon, 10 Mar 2014 07:00:02 UTC; Severity: important; Tags: security; Found in version 24.3; Filed 198
  days ago; Modified 184 days ago; 

We made some fixes. To make things work well we'll need a certificate
management UI, which IMO can happen after the current release.

  http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17625 [i|*| ] [emacs] details of package signing mechanism 
  Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>; Date: Thu, 29 May 2014 03:12:01 UTC; Severity: important; Tags: security; Found in version 24.4.50; Filed 118 days
  ago; Modified 89 days ago; 

Daiki Ueno made some fixes. Stefan got the detailed steps for generating
a package signature and we need at least one package plus the
archive-contents signed by the maintainer in the GNU ELPA to test the
client behavior. This seems OK to me as far as the code.

Stefan suggested some behavior changes that we can implement and test
easily, but are not IMO critical for the release.

  http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17660 [i|*| ] [emacs] 24.3; gnutls-min-prime-bits is 256 
  Reported by: Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr>; Date: Sun, 1 Jun 2014 13:25:01 UTC; Severity: important; Tags: security; Found in version 24.3; Filed 115
  days ago; Modified 110 days ago; 

This touches several older tickets.

I said "the proper fix seems to be to change the default for
`gnutls-algorithm-priority' but that may break some people's setups
(just like raising `gnutls-min-prime-bits' would)" and it's still the
case.  Opinions are welcome.

Considering the Emacs user base, I'd rather live with a slightly
insecure setting in 24.4 and address this in 24.5 together with the
certificate management UI.

I hope that's helpful.

Ted