Re: GnuTLS for W32

[Lars Magne Ingebrigtsen]

Ted Zlatanov <address@hidden> writes:

> The user doesn't know, usually, that there's been a critical GnuTLS
> release that affects them.  Unlike normal updates, ignoring this can
> actually compromise their security, not just corrupt or expose their
> data.

$ ssh gnu.org
Checking for updates to ssh...  please wait
Apparently somebody has made a brute-force attack feasible against
the encryption algorithm ssh was going to use against the remote server.
Download and install a new version of ssh?

> This is a crucial distinction.  So I want Emacs to notify the
> user their GnuTLS is out of date, or else something else should
> (e.g. the self-contained GnuTLS updater for W32 I proposed).

I don't really see that there's much of a difference between bugs in
libgnutls and in the Emacs binary proper.  If a major security hole was
discovered in Emacs, then presumably a new Emacs release would be made.
If a major libgnutls hole was discovered, then presumably someone would
zip up a new Windows release.

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/