[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TLS certificate on elpa.gnu.org
|
From: |
Eli Zaretskii |
|
Subject: |
Re: TLS certificate on elpa.gnu.org |
|
Date: |
Sun, 04 Feb 2018 19:51:14 +0200 |
> From: Philipp Stephani <address@hidden>
> Date: Sun, 04 Feb 2018 16:48:04 +0000
> Cc: Neil Okamoto <address@hidden>, address@hidden
>
> Isn't this an awfully old version of GnuTLS?
>
> It is the version shipped with the current LTS version of Ubuntu:
> https://packages.ubuntu.com/trusty/gnutls-bin
>
>
> > It’s causing me to introduce workarounds, such as downloading a newer
> gnutls source package and
> > compiling it locally in the Travis CI build. I would really prefer not to
> do this. It adds unnecessary time
> and
> > complexity to the CI setup for some Emacs packages, and (conversely) one
> can imagine other
> Emacs
> > package maintainers may be avoiding the complexity by not implementing CI
> for their projects.
> >
> > Can someone more knowledgable about the standards, the evolution of gnutls
> since 2.12, and the
> server
> > configuration of elope.gnu.org please weigh in on this?
>
> I'm not such an expert on this, but in general, security assumes
> latest versions of related software and databases.
>
> Security requires *patched* versions, not *updated* versions. That's a big
> difference. Ubuntu LTS gets
> security patches until the end of its lifetime, but no bug fixes or new
> features. The security patches only fix
> vulnerabilities.
To me, the fact that a newer version of GnuTLS doesn't show this
problem means that the issue was resolved by further development of
that package. Maybe Ubuntu needs to backport more patches?
Anyway, we can continue discussing this here to Kingdom Come, but if
we want to hear from experts, this issue should be brought on the
GnuTLS mailing list, not here.