From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ioannis Kappas Newsgroups: gmane.emacs.bugs Subject: bug#51038: 27.2; ELPA certificate not trusted on Windows Date: Sun, 24 Oct 2021 17:49:26 +0100 Message-ID: References: <6043-1633446864-843899@sneakemail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="24205"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, Lars Ingebrigtsen To: Eli Zaretskii , john@rootabega.net Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Oct 24 18:50:43 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1meghn-00067p-HE for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 24 Oct 2021 18:50:43 +0200 Original-Received: from localhost ([::1]:50824 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1meghl-0002z2-Jb for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 24 Oct 2021 12:50:41 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:50850) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1megh8-0002yt-F1 for bug-gnu-emacs@gnu.org; Sun, 24 Oct 2021 12:50:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:57338) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1megh8-0001al-6S for bug-gnu-emacs@gnu.org; Sun, 24 Oct 2021 12:50:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1megh8-0008Kb-4C for bug-gnu-emacs@gnu.org; Sun, 24 Oct 2021 12:50:02 -0400 X-Loop: help-debbugs@gnu.org In-Reply-To: <6043-1633446864-843899@sneakemail.com> Resent-From: Ioannis Kappas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 24 Oct 2021 16:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51038 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: notabug Original-Received: via spool by 51038-submit@debbugs.gnu.org id=B51038.163509418231993 (code B ref 51038); Sun, 24 Oct 2021 16:50:02 +0000 Original-Received: (at 51038) by debbugs.gnu.org; 24 Oct 2021 16:49:42 +0000 Original-Received: from localhost ([127.0.0.1]:40651 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meggn-0008Jx-OR for submit@debbugs.gnu.org; Sun, 24 Oct 2021 12:49:42 -0400 Original-Received: from mail-ot1-f50.google.com ([209.85.210.50]:39911) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meggm-0008Jj-26 for 51038@debbugs.gnu.org; Sun, 24 Oct 2021 12:49:40 -0400 Original-Received: by mail-ot1-f50.google.com with SMTP id e59-20020a9d01c1000000b00552c91a99f7so11559266ote.6 for <51038@debbugs.gnu.org>; Sun, 24 Oct 2021 09:49:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=DJkyQVdDM2i3jEAvguEsCZqeqUQJXMgTDt70oTAr8e0=; b=Pn+5ew4W7ylERUGexLEcJiLh6z9rpt8zn6vrPMJLkdNoaU2gzGjD5gSQbCiYsAdieM kYrXU0lFBokn12HUaRlS269tSLyV4CUca+7eqdLwMxqYC08ectZ/WjRCzlDFa4T/WgEY IOHjD0/hZINusyKwVSHNg9Po25jurIwt+Z+HlrnYzmo82lHlZRHjFHJeZrQ7ZG4PjeGr KOjUNIyRwm5ycV0kCbyU6j7iYpxF1SHwIgOgQgIGxSft56zulTe7277wxOh49QwD5MMS HOR47swXTmi7Um12bAi6NF/iDUgs9N3gNnuZ9ZeRlPxPl34aeWb0dGu6AHSUB3xcr15h EnFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=DJkyQVdDM2i3jEAvguEsCZqeqUQJXMgTDt70oTAr8e0=; b=EGBXDGZSthddXuuyS3R0RUTbl4hUBdF7Gi3oZNb571MjCiPua8dnvXmfbzUXgUujqX HSAWNvkNeO83TRocSd5f22uLx5hZmc/mtK7ETJZfECej7SoHvmiJRGydiu6DASByiy/k pUaQhEMxmLjZWkY/85k9SCESKgmVsywQH0CxteYSadFegcEvvmEbOsr0XVkSbHe5y0Vq QlqhSekBbsfECHHvKMSQYECaGYahVtktDHtbp+ykA+TC2f120HmHok/vLYXeLRJKZg0W pEuB+xlrbN2+R4Wfh3XhEcRmi827ef/u44HPJCjq8+BX8fJi1unXgvjmPcxiCur4gokT et+Q== X-Gm-Message-State: AOAM530az95ssxNwLsSY8ZMATz2Zvl3NO465CX1MdrSdyB2BMaV7VHzo ucIOmGxPFBs/bzGlKrJUZs7u46WJkcwlLfQTuWLbNoTQ4xs= X-Google-Smtp-Source: ABdhPJw/Ac/svXcyVCdXp/RfovPmP7GvqKYbBDjaiGgT1BhpzBvxPHZvNMllYjF8G7TVI5DUpnlKtJnhEN4tZ1A7TF8= X-Received: by 2002:a9d:20a3:: with SMTP id x32mr9260702ota.91.1635094174314; Sun, 24 Oct 2021 09:49:34 -0700 (PDT) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:218151 Archived-At: Hi all, doublep/eldev (the Elisp Development Tool) is just an example of a project that has been affected by this issue and has taken some time and serious effort to figure out what was going wrong: https://github.com/doublep/eldev/issues/55. The CI running the eldev test suit on GitHub Windows 2019 servers, which involved downloading packages from MELPA, suddenly started to fail one day when connecting to stable.melpa.org. The same tests passed on Linux/MacOs builds. I am sure there are many more other such instances, either projects or just users that are affected by it, and are perplexed with the current situation without having knowledge of the root cause. May I please argue that this should be at least acknowledged as an important issue with the latest official GNU emacs 27.2 binary MS-Windows release as advertised in the `GNU Emacs Download & Install page' @ https://www.gnu.org/software/emacs/download.html, under `Nonfree systems`->Windows: """GNU Emacs for Windows can be downloaded from a nearby GNU mirror; or the main GNU FTP server""" Where `GNU mirror points` to http://ftp.gnu.org/gnu/emacs/windows/emacs-27/, with the affected emacs 27.2 releases dated on 2021-Mar-31. The issue is that the *latest official Gnu Emacs windows binary releases*, as of today, at the official GNU Emacs download site are *bundled* with gnutls-3.6.12 which is susceptible to GnuTLS bug#1008 (titled as Handle expiration of AddTrust root certificate (urgent) -- https://gitlab.com/gnutls/gnutls/-/issues/1008) which refuses connections to sites with valid certificates whose issuer consist of dual certificates of which one has expired but the other is not-expired i.e. valid. As such, the official precompiled Emacs 27.2 Windows binaries cannot connect to these sites, which severely compromising Emacs functionality, with preventing Emacs connecting to package archives such as ELPA or MELPA being the most prevailing example. Thus, I advocate, that the latest official precompiled Gnu Emacs MS-Windows binaries have a serious issue (caused by a bug in the GnuTLS version they are bundled with), that either needs to be addressed or a workaround needs to be suggested somewhere in the download/install instructions. For completion I list the available options discussed in this thread/I can think of with any disadvantages I can think of: 1. Fix: Release new precompiled Emacs 27.2 binary versions to the official site bundled with a GnuTLS version that has GnuTLS#1008 fix, i.e. with version >= 3.6.14 (is this likely to be a release nightmare?) 2. Fix: Wait until the next release (I believe 28.x release is around the corner?). This leaves Emacs users which rely on the latest official build vulnerable; i.e. users that follow the official instructions and don't know what MSYS2 is or how to use it or can't be bothered -- this is probably the majority of nontechnical users -- or users in systems behind corporate firewalls that do not permit install of third party tools msys2/chocolately/scoop, or users in remote servers with preinstalled version of latest emacs version -- for example GitHub windows 2019 build/test farms. 3. Work around: Document the issue somewhere that the a prospective user can't miss (e.g. official download page or the readme document alongside the binaries, anything else?), with workarounds being 3.1 Update windows certificate store to remove expired certificate as mentioned in this thread (not sure how this would work, how do you users find the list of the ones that expired? Does it require special permission to remove certs? I suppose `Let's encrypt' issuers certificates are not the only one affected, they may be more either now or down the line). 3.2 use MSYS2 to build (pickup?) a 27.2 version with the latest GnuTLS lib (or chocolatey, or scoop perhaps if such version exist there). Though user might not have the technical background to do so or the host is restricted in respect to the tools that can be installed (systems behind corporate firewalls) or the target system is a server with limited access as to the choice of tools that can be installed (e.g. custom build Windows 2019 github server farms). 4 Work around: the same as #3 but without updating instructions about the problem or how to fix it. Leaves users who rely on the latest official releases without knowledge of this issue in the most vulnerable and perplexed for them situation. Thank you