[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The SHA1 sunset

From: Lars Magne Ingebrigtsen
Subject: Re: The SHA1 sunset
Date: Mon, 04 Jan 2016 01:53:56 +0100
User-agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.1.50 (gnu/linux)

John Wiegley <address@hidden> writes:

>>>>>> Eli Zaretskii <address@hidden> writes:
>>> We might consider at some point in the future to move this check to the
>>> "medium" (default) setting.
>> Why not now?
> Let's move it to the medium setting now. The writing has been on the
> wall for SHA1 for a little while now.

It has, but warning users about something that isn't a thing yet is
doing the users a disservice.  Bogus security warnings make people
ignore real security warnings.

If you look at the time line for MD5, for instance, it took quite a few
years between people thought that it was wonky and somebody exploited
that to create "innovative" certificates...

On the fourth hand, we release Emacs so seldomly that we have to plan
for the future, so perhaps it should be in "medium" anyway.

It would have been nice if Emacs had a way to retroactively change these
things.  I mean, "push" very, very selective security-related updates on
users...  Hm...  could we imagine using the package system for doing
security updates?  It would mean that Emacs would "call home" once in a

(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

reply via email to

[Prev in Thread] Current Thread [Next in Thread]