[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GnuTLS for W32

From: Ted Zlatanov
Subject: Re: GnuTLS for W32
Date: Thu, 05 Jan 2012 12:52:35 -0500
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.90 (gnu/linux)

On Thu, 05 Jan 2012 16:37:04 +0100 Lars Ingebrigtsen <address@hidden> wrote: 

LI> Ted Zlatanov <address@hidden> writes:
>> You're right.  Do you agree with the general idea of checking for
>> critical updates on startup, though?

LI> You didn't ask me, but I certainly do not.  

I certainly value your opinion.  Could you explain why you disagree with
checking critical packages (just GnuTLS currently)?  How would you
propose letting the user know they are out of date, instead of this?

On Thu, 5 Jan 2012 15:50:40 +0100 Juanma Barranquero <address@hidden> wrote: 

JB> 2012/1/5 Ted Zlatanov <address@hidden>:

>> You're right.  Do you agree with the general idea of checking for
>> critical updates on startup, though?

JB> FWIW, I don't. That is a step (tiny, I know) in the "software as a
JB> service" direction.

Not at all.  It's just a convenience based on our desire to take
responsibility for the security of the software we provide.

>> Combining (4) and (2) seems most convenient for the users: they will
>> have a single installer for all of Emacs (a convenience that goes beyond
>> this thread), and they'll get notified on all platforms when GnuTLS is
>> out of date.

JB> Does that mean that my Emacs is going to automatically try to
JB> establish a network connection without asking me? Or that I'm gonna be
JB> asked every time?

It will be configurable and transparent when possible, but yes, at some
point it may ask you once.

If we have a W32 installer I'd make it a checkbox during the install.

On Thu, 05 Jan 2012 09:14:11 -0500 Eli Zaretskii <address@hidden> wrote: 

>> From: Ted Zlatanov <address@hidden>
>> I would actually also like to bundle trusted certificates.

EZ> Where should they be gotten and how to integrate them with GnuTLS?

(Note this is speculative, I don't know for sure we should do this, but
certainly on W32 the cert bundle has to come from somewhere.)

I think it's safest to use Mozilla's cert bundle but I may sync with
Debian's bundle instead.

They don't integrate with GnuTLS as a library, but rather they are given
to it by gnutls.el.  So it would be maintenance and special cases in
gnutls.el, not in C code.

Our list of certs may diverge from what's built into the OS (e.g. RHEL
vs. Debian vs. Mac OS X).  There's no way to fix that, we have to let
the user choose, and by default use the OS cert bundle when it's

>> If we tell the user to reinstall because GnuTLS is out of date, would
>> that be a big burden?

EZ> It could be, since Emacs is a large distribution, and GnuTLS libraries
EZ> are much smaller in comparison.

Maybe the wpatch Joakim mentioned would help here.  But yeah, I see the
problem, and yet everyone (IIUC) is saying a bundled install is the
safest way instead of trying to update DLLs directly.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]