Re: Win32 GnuTLS DLL installer?

[Eli Zaretskii]

> From: address@hidden (Phillip Lord)
> Cc: Ted Zlatanov <address@hidden>,  address@hidden
> Date: Thu, 21 Sep 2017 22:16:36 +0100
> 
> > It may be the simplest, but are they good enough for a dedicated,
> > security-related package?  I'm not sure.  E.g., do the MSYS2 people,
> > who produce the DLLs which Phillip repackages, habitually run the test
> > suite of those DLLs, and investigate every failure?
> 
> Given that these are the DLLs than any user of Emacs is likely to update
> their libgnutls from anyway, then this doesn't strike me as a major
> problem. I mean, it's as good a solution as any.

I'm quite ignorant about security issues, but one thing I did learn is
that "as good solution as any" is usually not good enough for
security-critical issues.

I can tell that all the DLL binaries on the ezwinports site always
pass their test suite, and all the test failures are looked into and
fixed if the failures are real.  That is why I generally update GnuTLS
and other libraries relatively infrequently: it's a serious job that
takes time and energy.

If we are willing to disregard the QA in these libraries for the
Windows users, then I submit that we should not consider seriously any
security aspects of the Windows binaries.  We are in effect leaving it
to the users to discover the problems and report them.