From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jimmy Yuen Ho Wong Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Sat, 23 Jun 2018 11:34:43 +0100 Message-ID: References: <83o9g2uhju.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="00000000000084a162056f4cb33a" X-Trace: blaine.gmane.org 1529750061 30310 195.159.176.226 (23 Jun 2018 10:34:21 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 23 Jun 2018 10:34:21 +0000 (UTC) Cc: Lars Ingebrigtsen , Paul Eggert , emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Jun 23 12:34:16 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fWfrz-0007kG-Fx for ged-emacs-devel@m.gmane.org; Sat, 23 Jun 2018 12:34:15 +0200 Original-Received: from localhost ([::1]:37833 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fWfu5-0007cI-5D for ged-emacs-devel@m.gmane.org; Sat, 23 Jun 2018 06:36:25 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:41392) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fWfsw-0007Z4-PJ for emacs-devel@gnu.org; Sat, 23 Jun 2018 06:35:18 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fWfst-0004OP-7L for emacs-devel@gnu.org; Sat, 23 Jun 2018 06:35:14 -0400 Original-Received: from mail-it0-x234.google.com ([2607:f8b0:4001:c0b::234]:38194) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fWfsm-0004NP-Fg; Sat, 23 Jun 2018 06:35:04 -0400 Original-Received: by mail-it0-x234.google.com with SMTP id v83-v6so6206142itc.3; Sat, 23 Jun 2018 03:35:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xj1KBaNaktNrTY3aZhWLSNMR1N8I+aJ7Ok1FC950wLM=; b=Irrf/4eBQ2qnHbYgQd5ypUtk0NkyZa0Ihrfet+No48yTJjqIXLDt0felNO8CeYmyqq LhhMEdGDvu4W+50/gVCfavOwnsYMfCGUp/pP7r1akILG8hXHRDjDrMfwc9SjhJ/VCTAa 28lpIpxl+G9akOQprl++efBewBnv/WIU91R+MLT4uCGu/GcE+WaaWyOy8dYkbk0unTLe O/z5wW2LM4C5HZGWv2DliVUxpnKHsKSupkqCi6G8O0CkG0AZuy8Y0I+071bo79TCTG2h YLI8KfuqBGhy8R70e2RVmLDNAghVCaXZ/yK6kndtkcrMxB3T5OfQT88CDuxBssg1+MDV vIdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xj1KBaNaktNrTY3aZhWLSNMR1N8I+aJ7Ok1FC950wLM=; b=OEW1XfLbexHdA61TTWkXEyM8KGDthDSXEM6AkQSSvdneDoQDKB87Cmgr6ydJGg5wGf ohnsEiUnDJEJH+kCO0CIazMuf/sOEp3Q9rGENaJ7fk7jWRsh6Tob3iLIf1fj2jQU3r5L cvpHvD10CwwTknWZunQweGJmjhr57DsCnxG2BZcXsvzSi+fRzMpPhJlLDKWw19tnOKnj yjs/2vGwYia+6O52NOa+wJcMijyB12xadvgX0EaPRfELLH9rtlgxTndUati4H0nyATmU q9cn76LZIZqHdVVl07Z9Ev8whVZXHBupqYClDD2Gfecv/JoQ9xc7zim3UAQnyra6imzy CDGw== X-Gm-Message-State: APt69E21ZdB9foPRBhwU3tRf+XQKe6l6zeFPyDgFtMijtvzwzy+Gk5uy dIFlz+hm9A6Z619gEJgx9zDhFJcJvUsSMN1czd8zdk5Ecw0= X-Google-Smtp-Source: ADUXVKIowS+7jJBQGtDABIiyWHTZcIFpcIN1n+sAVEkInVhlaKiMmDrq+QDDWLTBVNYkHDzyiglRQLJB7oG+mmc7XjE= X-Received: by 2002:a02:9afa:: with SMTP id x55-v6mr4188975jak.145.1529750103563; Sat, 23 Jun 2018 03:35:03 -0700 (PDT) Original-Received: by 2002:a02:9869:0:0:0:0:0 with HTTP; Sat, 23 Jun 2018 03:34:43 -0700 (PDT) In-Reply-To: <83o9g2uhju.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4001:c0b::234 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:226613 Archived-At: --00000000000084a162056f4cb33a Content-Type: text/plain; charset="UTF-8" On Sat, Jun 23, 2018 at 7:45 AM, Eli Zaretskii wrote: > > From: Paul Eggert > > Date: Fri, 22 Jun 2018 15:43:35 -0700 > > Cc: Lars Magne Ingebrigtsen > > > > > 2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS doesn't > > > seem to be doing a very good job, can we link to something better > > > maintained, such as OpenSSL/LibreSSL/BoringSSL/NSS? > > > > I would think the answer to that could be "yes" too. Despite its name, > > GnuTLS is no longer GNU code, and we're under no obligation to promote > > it. However, this would take some work. We'd surely want the option to > > link to either GnuTLS or OpenSSL/etc. > > GnuTLS may not be a GNU project in the formal sense, but nothing has > changed in its development methods or in its spirit since it was. > OpenSSL is even less of a GNU project, and AFAIR includes components > that are not even Free Software. Moreover, having 2 different > libraries for the same task in Emacs will be a maintenance burden we > are better without, especially given the lack of active experts on > board. I'd like to remind us all that we've just switched to GnuTLS > as the primary means in Emacs 26.1. > > So my vote would be NO for switching away from GnuTLS. > While I understand this from a human resource perspective, I wonder if it's possible for the FSF to ask for some friendly help (such as the folks at EFF) on this one. I can probably ask around in London as well. In my opinion having OTTB better security is worthwhile for the switch. As to OpenSSL, they seem to have found all the past contributors already ( https://license.openssl.org/trying-to-find). It seems they are really close to switching to the Apache license. --00000000000084a162056f4cb33a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Sat, Jun 23, 2018 at 7:45 AM, Eli Zaretskii <eliz@gnu.org>= wrote:
> From: Pau= l Eggert <eggert@cs.ucla.edu&g= t;
> Date: Fri, 22 Jun 2018 15:43:35 -0700
> Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>
>
> > 2. Now that `starttls.el` and `tls.= el` are obsolete, and GnuTLS doesn't
> >=C2=A0 =C2=A0 =C2=A0seem to be doing a very good job, can we link = to something better
> >=C2=A0 =C2=A0 =C2=A0maintained, such as OpenSSL/LibreSSL/BoringSSL= /NSS?
>
> I would think the answer to that could be "yes" too. Despite= its name,
> GnuTLS is no longer GNU code, and we're under no obligation to pro= mote
> it. However, this would take some work. We'd surely want the optio= n to
> link to either GnuTLS or OpenSSL/etc.

GnuTLS may not be a GNU project in the formal sense, but nothing has=
changed in its development methods or in its spirit since it was.
OpenSSL is even less of a GNU project, and AFAIR includes components
that are not even Free Software.=C2=A0 Moreover, having 2 different
libraries for the same task in Emacs will be a maintenance burden we
are better without, especially given the lack of active experts on
board.=C2=A0 I'd like to remind us all that we've just switched to = GnuTLS
as the primary means in Emacs 26.1.

So my vote would be NO for switching away from GnuTLS.

While I understand = this from a human resource perspective, I wonder if it's possible for t= he FSF to ask for some friendly help (such as the folks at EFF) on this one= . I can probably ask around in London as well. In my opinion having OTTB be= tter security is worthwhile for the switch.

As to OpenSSL, they se= em to have found all the past contributors already (https://license.= openssl.org/trying-to-find).=C2=A0It seems they are reall= y close to switching to the Apache license.=C2=A0

--00000000000084a162056f4cb33a--