[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GnuTLS for W32
From: |
Ted Zlatanov |
Subject: |
Re: GnuTLS for W32 |
Date: |
Thu, 05 Jan 2012 19:43:26 -0500 |
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.90 (gnu/linux) |
On Fri, 6 Jan 2012 00:38:41 +0100 Juanma Barranquero <address@hidden> wrote:
JB> 2012/1/6 Ted Zlatanov <address@hidden>:
>> I meant Emacs, the software, not just its binary form. Forget the
>> binaries; you and Lars are protesting a startup check that critical
>> packages like GnuTLS are not out of date.
JB> When you say that, you are not talking about gnutls.el, you are
JB> talking about the GnuTLS binary, so no, I cannot forget the binaries.
JB> That's the whole point of the discussion (at least, of the part of the
JB> discussion I'm involved in).
No, what I was proposing was a startup check that the "gnutls-critical"
package is up to date, meaning what the user has installed is the
latest on the GNU ELPA. This does not mean the latest GnuTLS is
installed.
The "gnutls-critical" package may do more afterwards, depending on the
OS. On W32 it may trigger a patch eventually. At first it will just
display a warning, as Chad suggested. On GNU/Linux I think it should
leave the package management alone but still display a warning.
>> I can't think of a better way to notify them that an Emacs component
>> is out of date and possibly compromising their security.
JB> The GnuTLS binary is *not* an "Emacs component".
I think the C glue to GnuTLS is an Emacs component, deeply embedded.
The point of an exploit is that it can cross the barrier between "not a
component/not our problem" and "oh crap."
On Fri, 6 Jan 2012 01:05:36 +0100 Juanma Barranquero <address@hidden> wrote:
JB> GnuTLS is not required to "adopt Emacs". I would say that, for a
JB> Windows user, adding the image libraries would be more useful that
JB> GnuTLS, because I bet most of them are not going to start using Emacs
JB> to read e-mail or surf the web.
I believe `open-network-stream' can use GnuTLS for HTTPS connections,
which matters for a lot of cases, e.g. package.el. I agree about the
image libraries, though, they should also be included in an installer.
JB> But, as for "why not"... Why? Why us? Why cannot the people who is so
JB> interested in doing it just set a side project to build an Emacs
JB> installer, and be done with it?
I need the "gnutls-critical" startup check or some other way to tell the
user their GnuTLS version is at risk *by default*. This will be useful
on Mac OS X as well in some cases, as I mentioned. That's all I need
from emacs-devel (so Stefan or Chong's approval, I guess); the rest of
the work will be on the GNU ELPA "gnutls-critical" package and a W32
installer, and does not need to involve anyone uninterested.
Ted
- Re: NaCl support for Emacs, (continued)
- Re: NaCl support for Emacs, Stefan Monnier, 2012/01/11
- Re: NaCl support for Emacs, Carsten Mattner, 2012/01/11
- Re: NaCl support for Emacs, Stephen J. Turnbull, 2012/01/11
- Re: NaCl support for Emacs (was: GnuTLS for W32), Richard Stallman, 2012/01/11
- Re: GnuTLS for W32, Stephen J. Turnbull, 2012/01/08
- Re: GnuTLS for W32, Eli Zaretskii, 2012/01/08
- Re: GnuTLS for W32,
Ted Zlatanov <=
- Re: GnuTLS for W32, Juanma Barranquero, 2012/01/05
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/06
- Re: GnuTLS for W32, Juanma Barranquero, 2012/01/06
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/06
- Re: GnuTLS for W32, Juanma Barranquero, 2012/01/06
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/06
- Re: GnuTLS for W32, Chong Yidong, 2012/01/07
- Re: GnuTLS for W32, Juanma Barranquero, 2012/01/07
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/07
- Re: GnuTLS for W32, Reiner Steib, 2012/01/07