Re: GnuTLS for W32

[Óscar Fuentes]

Juanma Barranquero <address@hidden> writes:

>> Do we implement security only when many users are at risk?
>
> Irrelevant. We've implemented security, we're talking about defaults.

What's the difference?

> And that's what cost-benefit analysis is for. The answer could well be
> yes, if the alternative to "many" is "almost no-one".

You can count me on. See below.

>> Including the GnuTLS binary with the official binary packages shouldn't
>> be too costly, if we consider how rare Emacs releases are.
>
> The moment a serious bug is detected in GnuTLS, you have to issue
> updated packages and get the word out. It's not as easy as you put it.

Granted, that's a considerable side-effect. I've looked at the release
history for GnuTLS and there are lots of them. I don't how many contain
fixes for serious bugs, though.

[snip]

>> Shrugh. Security-wise, this way of thinking is responsible for lots of
>> disasters.
>
> For some definition of "lots", sure.

Directly or indirectly, almost all of them, I would say.

>> I wouldn't detect if someone were eavesdropping my network
>> communications, nor would you.
>
> Considering that I'm in a very small, non-WiFi network behind a rather
> paranoid firewall, trust me: if someone is eavesdropping my network,
> Emacs is the lesser of my troubles.

AFAIK Emacs can use GnuTLS for talking to the outside world too. SMTP,
for instance. There are ISPs (like the one I use) that offer both
encrypted and plain login on their mail servers. That's pretty serious
stuff.