[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GnuTLS for W32

From: Ted Zlatanov
Subject: Re: GnuTLS for W32
Date: Thu, 05 Jan 2012 19:43:26 -0500
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.90 (gnu/linux)

On Fri, 6 Jan 2012 00:38:41 +0100 Juanma Barranquero <address@hidden> wrote: 

JB> 2012/1/6 Ted Zlatanov <address@hidden>:
>> I meant Emacs, the software, not just its binary form.  Forget the
>> binaries; you and Lars are protesting a startup check that critical
>> packages like GnuTLS are not out of date.

JB> When you say that, you are not talking about gnutls.el, you are
JB> talking about the GnuTLS binary, so no, I cannot forget the binaries.
JB> That's the whole point of the discussion (at least, of the part of the
JB> discussion I'm involved in).

No, what I was proposing was a startup check that the "gnutls-critical"
package is up to date, meaning what the user has installed is the
latest on the GNU ELPA.  This does not mean the latest GnuTLS is

The "gnutls-critical" package may do more afterwards, depending on the
OS.  On W32 it may trigger a patch eventually.  At first it will just
display a warning, as Chad suggested.  On GNU/Linux I think it should
leave the package management alone but still display a warning.

>> I can't think of a better way to notify them that an Emacs component
>> is out of date and possibly compromising their security.

JB> The GnuTLS binary is *not* an "Emacs component".

I think the C glue to GnuTLS is an Emacs component, deeply embedded.
The point of an exploit is that it can cross the barrier between "not a
component/not our problem" and "oh crap."

On Fri, 6 Jan 2012 01:05:36 +0100 Juanma Barranquero <address@hidden> wrote: 

JB> GnuTLS is not required to "adopt Emacs". I would say that, for a
JB> Windows user, adding the image libraries would be more useful that
JB> GnuTLS, because I bet most of them are not going to start using Emacs
JB> to read e-mail or surf the web.

I believe `open-network-stream' can use GnuTLS for HTTPS connections,
which matters for a lot of cases, e.g. package.el.  I agree about the
image libraries, though, they should also be included in an installer.

JB> But, as for "why not"... Why? Why us? Why cannot the people who is so
JB> interested in doing it just set a side project to build an Emacs
JB> installer, and be done with it?

I need the "gnutls-critical" startup check or some other way to tell the
user their GnuTLS version is at risk *by default*.  This will be useful
on Mac OS X as well in some cases, as I mentioned.  That's all I need
from emacs-devel (so Stefan or Chong's approval, I guess); the rest of
the work will be on the GNU ELPA "gnutls-critical" package and a W32
installer, and does not need to involve anyone uninterested.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]