Re: A couple of questions and concerns about Emacs network security

[Eli Zaretskii]

> From: Jimmy Yuen Ho Wong <address@hidden>
> Date: Sat, 23 Jun 2018 11:21:49 +0100
> Cc: Noam Postavsky <address@hidden>, Paul Eggert <address@hidden>, 
>       Lars Ingebrigtsen <address@hidden>, address@hidden
> 
>  > Can we bump gnutls-min-prime-bits to 1024 on the release branch?
> 
>  No, I don't think so.  Changing these settings needs a prolonged
>  testing period to uncover any subtle problems with non-conforming
>  servers that users must be able to access, and such testing is
>  unlikely to happen on emacs-26 before the next bug-fix release.
> 
>  If we change this now on emacs-26, we should probably not release
>  Emacs 26.2 before a year goes by.
> 
> I don't understand this. Just because a small amount of people need 256 bit 
> default to connect to some
> non-conforming servers, you think the trade-off should be to use a default 
> that put the vast majority of Emacs
> users at risk out of the box?

No, you are missing my point, I think.  I'm saying that changes in
these areas tend to cause unintended breakage, and it takes time to
uncover those and fix them.  We cannot risk such breakage on the
release branch without delaying the next bug-fix release too much.

IOW, this is about the relative importance of other bugs we fixed
since 26.1 and need to be released soon, and this particular issue,
which isn't new.