[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Enforcing TLS for GNU ELPA
From: |
Jean Louis |
Subject: |
Re: Enforcing TLS for GNU ELPA |
Date: |
Tue, 20 Oct 2020 14:38:02 +0300 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
* Vasilij Schneidermann <mail@vasilij.de> [2020-10-20 13:07]:
> > > - There's still Windows users who do not have an installation with the
> > > gnutls libraries, despite the strong suggestion to download it for the
> > > full experience.
> >
> > I would say, sorry, there is no access to Emacs supported packages. If
> > they want without signing, they can find out configuration option.
> >
> > > - Emacs versions below 26.1 are affected by a HTTPS proxy bug [1] that
> > > makes life in corporate environments hard.
> >
> > I would say sorry for that, and would push security.
>
> What you propose is different: Adjust the default value of
> `package-archives` to always use https:// URLs, whereas I propose a more
> invasive change: Adjust the server-side behavior to not allow any kind
> of opt-out.
That way the SSL security is not enforced from Emacs side, but from
various servers, there can be plethora of ELPArchives online. Then
users depend on each single server.
> > Administrator in corporate environment can provide all allowed or by
> > corporation approved packages to each user, either by making general
> > settings on a single computer, or by entering defaults in
> > /etc/skel/.emacs.d/elpa/you-name-it
> >
> > Majority of GNU/Linux distributions already have Emacs packages inside
> > of distribution. Some of them have more than few hundred packages.
> >
> > In that sense, corporate environment is not a problem as BOFH can do
> > it for its users.
>
> That assumes a different kind of corporate environment where the focus
> is on provisioning users with software known to be safe. The issue I've
> pointed out is about communication via corporation-mandated proxy being
> impossible, something very different.
Those users can ask for permission and bring their packages on a
storage, as networked ELPA is for network, it assumes people have access.
ELPA can be on storage, it need not be on network, it can be on file
system.