From: Philipp Stephani <address@hidden> Date: Sun, 04 Feb 2018 16:48:04 +0000 Cc: Neil Okamoto <address@hidden>, address@hidden
Isn't this an awfully old version of GnuTLS?
It is the version shipped with the current LTS version of Ubuntu: https://packages.ubuntu.com/trusty/gnutls-bin
It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time
and
complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other
Emacs
package maintainers may be avoiding the complexity by not implementing CI for their projects.
Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the
server
configuration of elope.gnu.org please weigh in on this?
I'm not such an expert on this, but in general, security assumes latest versions of related software and databases.
Security requires *patched* versions, not *updated* versions. That's a big difference. Ubuntu LTS gets security patches until the end of its lifetime, but no bug fixes or new features. The security patches only fix vulnerabilities.
To me, the fact that a newer version of GnuTLS doesn't show thisproblem means that the issue was resolved by further development ofthat package. Maybe Ubuntu needs to backport more patches?Anyway, we can continue discussing this here to Kingdom Come, but ifwe want to hear from experts, this issue should be brought on theGnuTLS mailing list, not here.
Ok, I’m re-posting to gnutls-help.
|