From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Stephen J. Turnbull" Newsgroups: gmane.emacs.devel Subject: Re: GnuTLS for W32 Date: Sat, 07 Jan 2012 11:31:58 +0900 Message-ID: <87zke02qg1.fsf@uwakimon.sk.tsukuba.ac.jp> References: <87hb0b3yoe.fsf@lifelogs.com> <6ED011D5-E185-44C6-BB31-A445A4E5F83A@gmail.com> <87wr976otx.fsf@lifelogs.com> <87ipkq6yy5.fsf@lifelogs.com> <3FB40138-C766-4A45-8E5A-4E404449995E@gmail.com> <546D7C22-520D-46A9-8AA1-9D33CF2F6782@gmail.com> <87obuhpqrl.fsf@wanadoo.es> <87k455pncx.fsf@wanadoo.es> <87fwftpjqi.fsf@wanadoo.es> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: dough.gmane.org 1325903530 4906 80.91.229.12 (7 Jan 2012 02:32:10 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Sat, 7 Jan 2012 02:32:10 +0000 (UTC) Cc: emacs-devel@gnu.org To: =?utf-8?Q?=C3=93scar?= Fuentes Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Jan 07 03:32:06 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1RjM4j-0002Rc-RR for ged-emacs-devel@m.gmane.org; Sat, 07 Jan 2012 03:32:06 +0100 Original-Received: from localhost ([::1]:54674 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RjM4j-0001Bb-Cy for ged-emacs-devel@m.gmane.org; Fri, 06 Jan 2012 21:32:05 -0500 Original-Received: from eggs.gnu.org ([140.186.70.92]:34146) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RjM4g-00018e-Lv for emacs-devel@gnu.org; Fri, 06 Jan 2012 21:32:03 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RjM4f-0000w8-Ia for emacs-devel@gnu.org; Fri, 06 Jan 2012 21:32:02 -0500 Original-Received: from mgmt2.sk.tsukuba.ac.jp ([130.158.97.224]:56138) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RjM4f-0000vw-1J for emacs-devel@gnu.org; Fri, 06 Jan 2012 21:32:01 -0500 Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp [130.158.99.156]) by mgmt2.sk.tsukuba.ac.jp (Postfix) with ESMTP id 944459707AB; Sat, 7 Jan 2012 11:31:58 +0900 (JST) Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000) id 8CD151A2FD1; Sat, 7 Jan 2012 11:31:58 +0900 (JST) In-Reply-To: <87fwftpjqi.fsf@wanadoo.es> X-Mailer: VM undefined under 21.5 (beta31) "ginger" 2dbefd79b3d3 XEmacs Lucid (x86_64-unknown-linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 130.158.97.224 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:147427 Archived-At: =C3=93scar Fuentes writes: > But now that you ask, yes, I'll appreciate that all projects would > include a system for notifying me that its software is putting my > machine at risk. =C3=93scar, I'll tell you right now: all of the software on all of your machines is putting your systems at risk. If those systems are connected to the Internet (including by "sneakernet"), that risk is nonnegligible. You know that. What one[1] really wants is something like "I'll appreciate that all projects will inform me that features of their software that I use has a known and relatively high security risk." But identifying features that you use is impossible; at best the software can determine what features you have used in the past. The software also cannot determine what you mean by "relatively high"; it can only use some "objective" criterion of exploitability, which might or might not matter to you. The bar has to be higher than zero (or you'd just add my first paragraph to the startup message, no need to check), so some users (and I gather you are a member of that group) will not get as many warnings as they like. But others will get too many, and shut off a system that they would find beneficial if the bar were set higher. > You are sidetracking from my question by going back to the GnuTLS > dll. I'm genuinely interested in your reasoning for rejecting an > automatic notification system built into Emacs. Did he reject such a system, or simply insist that it not be turned on by default? I don't see how he can reject the system itself, if somebody else volunteers to create and maintain it. Rejection is different from what he actually said, which is that he thinks those volunteers would be doing a better service for Emacs by developing Emacs instead of trying to keep up with the security details (which are normally not public, as you know) of an independent project. > Something you can use to warn users that a problem was found that > would pose a risk to their data (a security breach, data > corruption, whatever). Something includes "email", "website", "RSS feed", etc; you just want to feed that information to all users, including many who don't want it, and some who believe in turning off all services that they don't need, and won't approve of having Emacs turn it on for them by default. Footnotes:=20 [1] Cf. larsi's infinitely extensible example of why he doesn't like checks at startup. Maybe you would be happy to see that, but I doubt very many people would.