Re: Network security manager

[Ted Zlatanov]

On Mon, 17 Nov 2014 12:31:35 -0500 Stefan Monnier <address@hidden> wrote: 

TZ> I don't know how complicated it will be internally, but I don't think it
TZ> will endanger any existing functionality (except TLS connections, of
TZ> course).  The only reason for it in 24.x is to add reasonable certificate
TZ> handling so we can turn on certificate verification by default.  I don't
TZ> think it can be done otherwise without seriously damaging the user
TZ> experience.

SM> The issue is that if we have a 24.5 release, I want a very short pretest
SM> phase, so such changes need to be "obviously safe".

SM> One way to do that can be to make the changes conditional on some config
SM> var, which stays disabled by default.  So random users will use the old
SM> code and those who care about security can enable it at the risk of
SM> helping us fix bugs.

I'd rather not ship with security disabled by default. That's exactly
the situation we have now, just swept into a different corner.

If fixing it is too risky then we put out an insecure 24.5 and 25.1 will
be the first release to manage certificates and verify them by default.
This is no worse than the current 24.x situation. It seems this is
acceptable to everyone so far.

I would have preferred to avoid that situation but the fault is mostly
mine for leaving this unfinished for so long.

>> BTW, I proposed using emacs-24 3 weeks ago in the thread "removing SSLv3
>> support by default from the Emacs GnuTLS integration (was: Bug#766395:
>> emacs/gnus: Uses s_client to for SSL.)" you can find here
>> https://lists.gnu.org/archive/html/emacs-devel/2014-10/msg00936.html

SM> I don't know the underlying issues well enough.  But it doesn't sound
SM> "obviously safe" either.  I'd rather just follow gnutls's own defaults.

We are.

Ted