[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Getting SSL test A+ grade on elpa.gnu.org
From: |
Vasilij Schneidermann |
Subject: |
Re: Getting SSL test A+ grade on elpa.gnu.org |
Date: |
Wed, 25 Nov 2020 18:38:12 +0100 |
> It could have a bad effect on security and privacy for emacs users. Would
> you apply only TLS 1.3 on elpa.gnu.org?
ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting
TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to
successfully establish a connection to GNU ELPA?
Another thing to watch out for is the cipher suites. To reach a good
rating several of them need to be disabled and extensive testing is
required to ensure that we don't exclude users from fetching packages
for no apparent reason.
Something else I'm curious about, what exactly blocks us from forcing a
HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a
widely used Emacs version or are there others?
Vasilij
signature.asc
Description: PGP signature