[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GnuTLS for W32
|
From: |
Juanma Barranquero |
|
Subject: |
Re: GnuTLS for W32 |
|
Date: |
Fri, 6 Jan 2012 01:59:32 +0100 |
2012/1/6 Ted Zlatanov <address@hidden>:
> No, what I was proposing was a startup check that the "gnutls-critical"
> package is up to date, meaning what the user has installed is the
> latest on the GNU ELPA.
At the end of the "gnutls-critical" chain, the intention is, either to
update non-binaries (gnutls.c, gnutls.el), or binaries (the DLL). In
the first case, I don't know why do we need such a special mechanism
(security releases have been handled before, just by issuing a new
release or an updated tarball); in the second case, you already know
my objections, so I won't repeat them again.
> The "gnutls-critical" package may do more afterwards, depending on the
> OS. On W32 it may trigger a patch eventually. At first it will just
> display a warning, as Chad suggested.
And then, we're going to implement something similar for image
libraries, because they can also have security-related bugs. Aren't
we?
We could also make our own MinGW/MSYS distribution, for people that
builds their own Windows Emacs. We would automatically upgrade it in
case there's a security issue. And let's not forget binutils, and
texinfo. Yes, I'm being facetious. Or not, I'm not sure anymore.
> I think the C glue to GnuTLS is an Emacs component, deeply embedded.
> The point of an exploit is that it can cross the barrier between "not a
> component/not our problem" and "oh crap."
Lots of code in Emacs calls external tools (from grep to nslookup to
make). Anyone of them could turn into an "oh crap" moment. But we
don't feel the impulse to distribute grep and make sure it is up to
date.
> I believe `open-network-stream' can use GnuTLS for HTTPS connections,
> which matters for a lot of cases, e.g. package.el.
I disagree with "a lot of cases". There are a few Emacs components
that connect to the network, but it is perfectly possible (and, I
think, even common) not to need them on Windows.
> I agree about the image libraries, though, they should also be included in an
>installer.
As long as you say "an installer" and do not say "automatically
check", I'm fine.
> I need the "gnutls-critical" startup check or some other way to tell the
> user their GnuTLS version is at risk *by default*.
s/need/want/.
Juanma
- Re: NaCl support for Emacs, (continued)
- Re: NaCl support for Emacs, Stefan Monnier, 2012/01/11
- Re: NaCl support for Emacs, Carsten Mattner, 2012/01/11
- Re: NaCl support for Emacs, Stephen J. Turnbull, 2012/01/11
- Re: NaCl support for Emacs (was: GnuTLS for W32), Richard Stallman, 2012/01/11
- Re: GnuTLS for W32, Stephen J. Turnbull, 2012/01/08
- Re: GnuTLS for W32, Eli Zaretskii, 2012/01/08
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/05
- Re: GnuTLS for W32,
Juanma Barranquero <=
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/06
- Re: GnuTLS for W32, Juanma Barranquero, 2012/01/06
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/06
- Re: GnuTLS for W32, Juanma Barranquero, 2012/01/06
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/06
- Re: GnuTLS for W32, Chong Yidong, 2012/01/07
- Re: GnuTLS for W32, Juanma Barranquero, 2012/01/07
- Re: GnuTLS for W32, Ted Zlatanov, 2012/01/07
- Re: GnuTLS for W32, Reiner Steib, 2012/01/07
- Re: GnuTLS for W32, Richard Riley, 2012/01/05