Re: A couple of questions and concerns about Emacs network security

[Perry E. Metzger]

On Sat, 23 Jun 2018 09:45:57 +0300 Eli Zaretskii <address@hidden> wrote:
> > From: Paul Eggert <address@hidden>
> > Date: Fri, 22 Jun 2018 15:43:35 -0700
> > Cc: Lars Magne Ingebrigtsen <address@hidden>
> >   
> > > 2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS
> > > doesn't seem to be doing a very good job, can we link to
> > > something better maintained, such as
> > > OpenSSL/LibreSSL/BoringSSL/NSS?  
> > 
> > I would think the answer to that could be "yes" too. Despite its
> > name, GnuTLS is no longer GNU code, and we're under no obligation
> > to promote it. However, this would take some work. We'd surely
> > want the option to link to either GnuTLS or OpenSSL/etc.  
> 
> GnuTLS may not be a GNU project in the formal sense, but nothing has
> changed in its development methods or in its spirit since it was.
> OpenSSL is even less of a GNU project, and AFAIR includes components
> that are not even Free Software.

So far as I can tell and am aware, OpenSSL is fully free software.
There are no unfree components.

> Moreover, having 2 different
> libraries for the same task in Emacs will be a maintenance burden we
> are better without,

The security of OpenSSL is, so far as I can tell, more reliably
managed. There's a large team that worries about it, and the security
of cryptographic libraries is a difficult problem. Everything from
timing attacks to very subtle mistakes in nonce generation has to go
perfectly.

Perry
-- 
Perry E. Metzger                address@hidden