Re: GnuTLS for W32

[Chong Yidong]

Ted Zlatanov <address@hidden> writes:

> On Fri, 6 Jan 2012 16:47:56 +0100 Juanma Barranquero <address@hidden> wrote:
>
> JB> Anyway, I think the dead equine has been beaten to a pulp and turned
> JB> into fertilizer. We don't really advance anything rehashing the same
> JB> arguments again and again, IMHO. YMMV.
>
> I appreciate your opinions and hope we can find some middle ground that
> will satisfy everyone's expectations.

Here are my thoughts:

- First of all, any change involving distributing GnuTLS with Emacs
  should be post-24.1.

- Phoning home on startup by default is out of the question.  There are
  lots of users with the "open Emacs many times" usage pattern, even
  though that usage pattern is discouraged.  Accessing the network for
  each startup would be unreasonable, quite apart from the privacy
  concerns (GNU knows each time you launch Emacs!)

- I am open to improvements to package.el to implement _periodic_ update
  checking, and improvements to check for updates in M-x list-packages.
  It is probably not too difficult to add some infrastructure to
  highlight "strongly recommended updates" in the Package Menu.

- I agree with Lars' point that

> I don't really see that there's much of a difference between bugs in
> libgnutls and in the Emacs binary proper.  If a major security hole was
> discovered in Emacs, then presumably a new Emacs release would be made.
> If a major libgnutls hole was discovered, then presumably someone would
> zip up a new Windows release.

  If a really serious security flaw is found in GnuPG, and we are
  distributing GnuPG with Emacs, we should make an Emacs security
  release, exactly as though it was a security flaw in Emacs itself.