From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Lars Magne Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.devel
Subject: Re: The SHA1 sunset
Date: Mon, 04 Jan 2016 01:53:56 +0100
Message-ID: <m3bn9288rf.fsf@gnus.org>
References: <m3twmvdm1z.fsf@gnus.org> <83fuyead32.fsf@gnu.org>
	<m21t9yxwnh.fsf@newartisans.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1451868877 3530 80.91.229.3 (4 Jan 2016 00:54:37 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 4 Jan 2016 00:54:37 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jan 04 01:54:28 2016
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1aFtPm-0002c3-Gs
	for ged-emacs-devel@m.gmane.org; Mon, 04 Jan 2016 01:54:26 +0100
Original-Received: from localhost ([::1]:43429 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1aFtPm-0002NQ-0B
	for ged-emacs-devel@m.gmane.org; Sun, 03 Jan 2016 19:54:26 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55421)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1aFtPi-0002N6-Hm
	for emacs-devel@gnu.org; Sun, 03 Jan 2016 19:54:23 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1aFtPf-0006lv-CO
	for emacs-devel@gnu.org; Sun, 03 Jan 2016 19:54:22 -0500
Original-Received: from hermes.netfonds.no ([80.91.224.195]:56592)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1aFtPf-0006lq-5L
	for emacs-devel@gnu.org; Sun, 03 Jan 2016 19:54:19 -0500
Original-Received: from cm-84.215.1.64.getinternet.no ([84.215.1.64] helo=stories)
	by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.72) (envelope-from <larsi@gnus.org>) id 1aFtPI-0000ge-VE
	for emacs-devel@gnu.org; Mon, 04 Jan 2016 01:53:56 +0100
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAD1BMVEUNDQ8mJidERUe3trdt
	bnCHGAGDAAACfElEQVQ4jVVU25HkMAhEXgdgGAdgMAHsjBTAGpF/TNfYe1V3+nBJatG8GtOQPvr/
	a8yLmQ4e+XvOfHbDlJhIZNYpnzUfZGtE5v/cP0bDhIn5fGhChcXz99VGHvFYmymz3uZjzDfNx3eI
	eaY+9n2E0hPJEHvcMsNmjthIfs/4IIFnh/1GKx70i3EVbl7Iq9wr7aDIYp6XcKXxLrK4yGCnRZTB
	klYme3HfALaDjTcW1aJE8ZISMeCdNmvKLdjmxxBo0NkjvIdJiBpHQzoGkwIyzpm6GwNwNcs3CvOp
	zG2O3dIEVbGQbQb7HAXwfIPEIgOl3OQcluegHtrmQYKKumWVS8B4dgBXY1TGZ4Zn2EYLKj4L8J8G
	AHFejlQLQKUnTbUCGnt6pGFr2yuKyvx7CWpyBwV1UGxrwCIvUBWwqKkcukEgADrN8sGgWjVTjpLN
	tiicz48cTaltbUesVO5gYQDSD5wQjSNv3GItbwGgrwN75lZ5lDHRrmun80cCe2m7obd3WJTbDVCW
	hX8qXA9wwv0XgDfBusmZBWQaXimdVV08AICeW2kOikIs85vWQQTrE4W9gTzIL+oHtX6sSW1Uw8A0
	8ofmsXTEMH/Qj7UGIPyDpvjat69h1E609xMGGYbdAaDffqFIO6KeuIsyQqu8H0sqLBgR9oGbqHBr
	KK5zsNPOPpbZodoCsDk/nki22gjdYgB68UPcNS9QFy2CU03Pk3k9ACDwYZiBmGPccqsRjpIdOqMS
	98BkqbYGHSGiliglOO7/xD3ltzNoEsCCQM8a1MqifECf6H4lmH//C17DDjpVnrRerPscl0CLKK9r
	drSx7fTCn4Yljltv1VospKF/AFiYs7rA71+GAAAAAElFTkSuQmCC
In-Reply-To: <m21t9yxwnh.fsf@newartisans.com> (John Wiegley's message of "Sun, 
	03 Jan 2016 11:58:42 -0800")
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.1.50 (gnu/linux)
X-MailScanner-ID: 1aFtPI-0000ge-VE
MailScanner-NULL-Check: 1452473637.9728@rRpUhnRUqLjZBNyrO++GvA
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.224.195
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:197543
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/197543>

John Wiegley <jwiegley@gmail.com> writes:

>>>>>> Eli Zaretskii <eliz@gnu.org> writes:
>
>>> We might consider at some point in the future to move this check to the
>>> "medium" (default) setting.
>
>> Why not now?
>
> Let's move it to the medium setting now. The writing has been on the
> wall for SHA1 for a little while now.

It has, but warning users about something that isn't a thing yet is
doing the users a disservice.  Bogus security warnings make people
ignore real security warnings.

If you look at the time line for MD5, for instance, it took quite a few
years between people thought that it was wonky and somebody exploited
that to create "innovative" certificates...

On the fourth hand, we release Emacs so seldomly that we have to plan
for the future, so perhaps it should be in "medium" anyway.

It would have been nice if Emacs had a way to retroactively change these
things.  I mean, "push" very, very selective security-related updates on
users...  Hm...  could we imagine using the package system for doing
security updates?  It would mean that Emacs would "call home" once in a
while...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no