emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS certificate on elpa.gnu.org


From: Neil Okamoto
Subject: Re: TLS certificate on elpa.gnu.org
Date: Sun, 4 Feb 2018 12:11:40 -0800


On Feb 4, 2018, at 9:51 AM, Eli Zaretskii <address@hidden> wrote:

From: Philipp Stephani <address@hidden>
Date: Sun, 04 Feb 2018 16:48:04 +0000
Cc: Neil Okamoto <address@hidden>, address@hidden

Isn't this an awfully old version of GnuTLS? 

It is the version shipped with the current LTS version of Ubuntu: https://packages.ubuntu.com/trusty/gnutls-bin


It’s causing me to introduce workarounds, such as downloading a newer gnutls source package and
compiling it locally in the Travis CI build. I would really prefer not to do this. It adds unnecessary time
and
complexity to the CI setup for some Emacs packages, and (conversely) one can imagine other
Emacs
package maintainers may be avoiding the complexity by not implementing CI for their projects.

Can someone more knowledgable about the standards, the evolution of gnutls since 2.12, and the
server
configuration of elope.gnu.org please weigh in on this?

I'm not such an expert on this, but in general, security assumes
latest versions of related software and databases.

Security requires *patched* versions, not *updated* versions. That's a big difference. Ubuntu LTS gets
security patches until the end of its lifetime, but no bug fixes or new features. The security patches only fix
vulnerabilities. 

To me, the fact that a newer version of GnuTLS doesn't show this
problem means that the issue was resolved by further development of
that package.  Maybe Ubuntu needs to backport more patches?

Anyway, we can continue discussing this here to Kingdom Come, but if
we want to hear from experts, this issue should be brought on the
GnuTLS mailing list, not here.

Ok, I’m re-posting to gnutls-help.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]