From unknown Sat Jun 21 10:41:00 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#51038 <51038@debbugs.gnu.org> To: bug#51038 <51038@debbugs.gnu.org> Subject: Status: 27.2; ELPA certificate not trusted on Windows Reply-To: bug#51038 <51038@debbugs.gnu.org> Date: Sat, 21 Jun 2025 17:41:00 +0000 retitle 51038 27.2; ELPA certificate not trusted on Windows reassign 51038 emacs submitter 51038 "Michael Hoffman" severity 51038 normal tag 51038 notabug thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 05 11:14:33 2021 Received: (at submit) by debbugs.gnu.org; 5 Oct 2021 15:14:33 +0000 Received: from localhost ([127.0.0.1]:41634 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXm9G-0005pD-3T for submit@debbugs.gnu.org; Tue, 05 Oct 2021 11:14:33 -0400 Received: from lists.gnu.org ([209.51.188.17]:49554) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXm9E-0005p6-HU for submit@debbugs.gnu.org; Tue, 05 Oct 2021 11:14:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34090) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXm9E-00007L-Cb for bug-gnu-emacs@gnu.org; Tue, 05 Oct 2021 11:14:28 -0400 Received: from sneak2.sneakemail.com ([64.46.159.148]:54724) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXm9C-0001fZ-O7 for bug-gnu-emacs@gnu.org; Tue, 05 Oct 2021 11:14:28 -0400 Received: (sneakemail censored 6043-1633446864-843899 #2); 5 Oct 2021 15:14:24 -0000 Received: (sneakemail censored 6043-1633446864-843899 #1); 5 Oct 2021 15:14:24 -0000 Date: Tue, 05 Oct 2021 15:14:24 +0000 From: "Michael Hoffman" To: bug-gnu-emacs@gnu.org Message-ID: <6043-1633446864-843899@sneakemail.com> Subject: 27.2; ELPA certificate not trusted on Windows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailer: Perl5 Mail::Internet v Received-SPF: pass client-ip=64.46.159.148; envelope-from=emacs-hoffman@snkmail.com; helo=sneak2.sneakemail.com X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) emacs.exe -Q --eval '(package-list-packages)' produces a *Network Security Manager* buffer: ``` Certificate information Issued by: R3 Issued to: CN=elpa.gnu.org Hostname: elpa.gnu.org Public key: RSA, signature: RSA-SHA256 Session: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD Security level: Medium Valid: From 2021-09-28 to 2021-12-27 The TLS connection to elpa.gnu.org:443 is insecure for the following reasons: * certificate has expired * certificate could not be verified ``` Output of `gnutls-cli.exe elpa.gnu.org: ``` |<1>| There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority. |<1>| There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority. |<1>| There was a non-CA certificate in the trusted list: CN=Root Agency. Processed 55 CA certificate(s). Resolving 'elpa.gnu.org:443'... Connecting to '209.51.188.89:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=elpa.gnu.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x032e7afac8c8ff8acef5382c75dc16538637, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-09-28 20:42:42 UTC', expires `2021-12-27 20:42:41 UTC', pin-sha256="WYj0qX4c/Xw7gDsCopUPyykUZoDxWda2RX3oSCAMTKE=" Public Key ID: sha1:5641117962b98566f89ee43b392d5fa6a5c7e92d sha256:5988f4a97e1cfd7c3b803b02a2950fcb29146680f159d6b6457de848200c4ca1 Public Key PIN: pin-sha256:WYj0qX4c/Xw7gDsCopUPyykUZoDxWda2RX3oSCAMTKE= - Certificate[1] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Certificate[2] info: - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` In `certlm.msc`, under "Certificates - Local Computer\Trusted Root Certification Authorities\Certificates" there is a "DST Root CA X3" certificate expiration 9/30/2021 serial number 44afb080d6a327ba893039862ef8406b. There is also an "ISRG Root X1" certificate expiration 6/4/2035 serial number 008210cfb0d240e3594463e0bb63828b00. It looks like GnuTLS is trying to check the certificate chain using the DST Root CA X3 which has expired. The serial number and expiration for the ISRG Root X1 in the certificates provided by elpa.gnu.org does not match the one that Windows trusts. Is this something that can be fixed on elpa.gnu.org? Something that I need to fix in Windows? In GNU Emacs 27.2 (build 1, x86_64-w64-mingw32) of 2021-03-26 built on CIRROCUMULUS Repository revision: deef5efafb70f4b171265b896505b92b6eef24e6 Repository branch: HEAD Windowing system distributor 'Microsoft Corp.', version 10.0.19043 System Description: Microsoft Windows 10 Home (v10.0.2009.19043.1237) Configured using: 'configure --without-dbus --host=x86_64-w64-mingw32 --without-compress-install 'CFLAGS=-O2 -static'' Configured features: XPM JPEG TIFF GIF PNG RSVG SOUND NOTIFY W32NOTIFY ACL GNUTLS LIBXML2 HARFBUZZ ZLIB TOOLKIT_SCROLL_BARS MODULES THREADS JSON PDUMPER LCMS2 GMP Important settings: value of $LANG: en_US locale-coding-system: utf-8-unix From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 05 13:35:51 2021 Received: (at 51038) by debbugs.gnu.org; 5 Oct 2021 17:35:51 +0000 Received: from localhost ([127.0.0.1]:41844 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXoM2-0005WE-O8 for submit@debbugs.gnu.org; Tue, 05 Oct 2021 13:35:51 -0400 Received: from mail-4322.protonmail.ch ([185.70.43.22]:15261) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXoLx-0005Vv-7m for 51038@debbugs.gnu.org; Tue, 05 Oct 2021 13:35:49 -0400 Date: Tue, 05 Oct 2021 17:35:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rootabega.net; s=protonmail; t=1633455338; bh=KZqy+hxAO7bW0gGQlIg1j0CW3NJJAqdeQ5vE9Gj3WpI=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=Vy7qXcbwYWhcgMVRVKLaQ49Rw5jv/rBnhLrjrqVaUwtfPFXv+X85FxczAiazmgH4O Ca8+QqwEFr6YVfAB50lokEplOO5wyNR4UeXpuUiTSHcgtoLv+75F+5F8UvY/tsTTEl Y/t3zll2m2DSU0liWTs3MmnzGuFvWLjWhT7LbBuORUv2ivbidGNeU1JDJebUhvd2G9 MjD7BNZr6fM+Kk7fpDHy2ACN19Ox7VuABba34ZZmbwpq7CkHhfLEWJCvUu0lgVWALi RUFMvMbwKhDpDzyYIQhY37mLWFqUqvKt7mx4ZKIM+nfwh2o2jOcnPPrPs9QXu5LQg6 tF5Cmxzo7mkxA== To: Michael Hoffman From: John Cummings Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows Message-ID: In-Reply-To: <6043-1633446864-843899@sneakemail.com> References: <6043-1633446864-843899@sneakemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: 51038@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: John Cummings Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Michael, I'm just a user, but I've run into this bug recently and have b= een researching the options as they relate to Emacs. I believe that this is= what you should expect if you are using gnutls 3.6.12 and you have the exp= ired X3 root cert in your trust store. As you're seeing, that version of gn= utls treats the chain as expired because of the expired root, even though i= t could validate it due to the alternate path leading to the ISRG root. I c= onfirmed both of those on my Emacs 27.2 Windows installation from the build= s kindly published by GNU, which I assume you are using. Since this is a se= lf-contained build not living in a package management system, I don't BELIE= VE there is any good way to fix the root cause of the problem on your syste= m without rebuilding Emacs with gnutls >=3D 3.6.14, so I'm not sure if the = maintainers will close this, or slot it for the next Windows build that get= s published. But hopefully this is something you can address on your side for now. Since= this is expected behavior, the least invasive thing to do is probably to d= ecide to trust that certificate (a)lways, assuming you are confident in its= identity. I am personally confident in that, because I verified that the k= ey checksums Emacs is reporting do belong to elpa.gnu.org. You don't have t= o take my word for that; you can download the cert in a browser that you tr= ust (which probably will not be experiencing this problem), and then dump t= he public key info with something like "certtool --infile=3Delpa-gnu-org.pe= m --pubkey". I believe that certtool is bundled in that Windows installatio= n. I was also able to bypass this problem by removing that expired X3 root cer= t from my list of trusted roots in Windows, but it seems risky and unnecess= ary compared with the previous option. So I'm not recommending that, just n= oting that it seems to work for me. This issue could be addressed on the server side as well, but some services= are choosing to leave this chain with the expired root in place. There are= valid reasons to do this, and correct clients (like gnutls 3.6.14) should = be able to handle it, but I don't know the specifics on why GNU has chosen = to leave it so far. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 05:25:28 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 09:25:28 +0000 Received: from localhost ([127.0.0.1]:42541 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY3Ax-0004wH-DF for submit@debbugs.gnu.org; Wed, 06 Oct 2021 05:25:28 -0400 Received: from quimby.gnus.org ([95.216.78.240]:51560) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY3Av-0004w1-AG for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 05:25:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=EDYcsERtXer8mUXwL5OpHKUI6zpusIiG9pBoFCE/SEw=; b=rTKgvhWH7E/zt5ftQxupVxb7ue eFvL/5qa0oqDHrValyBir23BL8AtxoZDaRHhT/yI0RfaAXT6ldjo9PRko3N8XOr2rNT4QQXbIxjNf QWwafIKbkD97k+5NYcPv5VDhU3ZPB9BsVTkIulqvI0Jeke5n3X+W2O//ntt7lhGPEQRs=; Received: from [84.212.220.105] (helo=elva) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mY3Am-0000Rx-QY; Wed, 06 Oct 2021 11:25:15 +0200 From: Lars Ingebrigtsen To: John Cummings Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows References: <6043-1633446864-843899@sneakemail.com> X-Now-Playing: DJ Screw's _All Work, No Play_: "DJ Screw Lil Keke South Side feat Lil Keke " Date: Wed, 06 Oct 2021 11:25:12 +0200 In-Reply-To: (John Cummings's message of "Tue, 05 Oct 2021 17:35:35 +0000") Message-ID: <87ee8yec93.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: John Cummings writes: > I believe that this is what you should expect if you are using gnutls > 3.6.12 and you have the expired X3 root cert in your trust store. Yup. So this isn't a problem on Savannah. Quoting: Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 51038 Cc: Michael Hoffman , 51038@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) John Cummings writes: > I believe that this is what you should expect if you are using gnutls > 3.6.12 and you have the expired X3 root cert in your trust store. Yup. So this isn't a problem on Savannah. Quoting: ---- From: Bob Proulx Subject: Certificate Expiration Event September 2021 On September 30, 2021, as planned the DST Root CA X3 cross-sign has expired for the Let's Encrypt trust chain. That was a normal and planned event. However coupled with a verification error in the code of libraries authenticating certificates it caused some clients that have not been updated to fixed versions to have problems validating certificates. If you are experiencing invalid certificate chain problems with Let's Encrypt certificates (not a Savannah problem) then please upgrade your client to the latest security patches for your system. Please reference these resources as to upstream information and discussion about the issue. * https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ * https://community.letsencrypt.org/t/production-chain-changes/150739/4 * https://letsencrypt.org/docs/certificate-compatibility/ * https://letsencrypt.org/certificates/ * https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ ---- So I'm closing this bug report. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 05:25:28 2021 Received: (at control) by debbugs.gnu.org; 6 Oct 2021 09:25:28 +0000 Received: from localhost ([127.0.0.1]:42544 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY3B2-0004wT-IF for submit@debbugs.gnu.org; Wed, 06 Oct 2021 05:25:28 -0400 Received: from quimby.gnus.org ([95.216.78.240]:51576) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY3Ay-0004w5-Hr for control@debbugs.gnu.org; Wed, 06 Oct 2021 05:25:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FyWQbVJT0fJJYvfnJE0AvlRR+kVrvv7bpjUJsDoOyuM=; b=TVWvldm/NCroemIB9ZXt1cxSBG T2MYLtqf4wTWxYfJ0aIZNZYjxYp77ODiIt6hpiqFCz3RXND0l+vURGB4sNmX5Cq3h6cjv1/uD5H7z OXRxAQ7KFWjkilUZchJzzdaclj+kKZoPwTjQmr/PCm8OU0B18mq6M15/63CLILsQlajk=; Received: from [84.212.220.105] (helo=elva) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mY3Ar-0000S6-5J for control@debbugs.gnu.org; Wed, 06 Oct 2021 11:25:19 +0200 Date: Wed, 06 Oct 2021 11:25:16 +0200 Message-Id: <87czoiec8z.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #51038 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 51038 notabug close 51038 quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 51038 notabug close 51038 quit From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 06:54:13 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 10:54:13 +0000 Received: from localhost ([127.0.0.1]:42695 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY4Yu-0005kO-PL for submit@debbugs.gnu.org; Wed, 06 Oct 2021 06:54:12 -0400 Received: from mail-4322.protonmail.ch ([185.70.43.22]:36937) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY4Yr-0005kB-T0 for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 06:54:11 -0400 Date: Wed, 06 Oct 2021 10:54:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rootabega.net; s=protonmail; t=1633517642; bh=1jm8EKMHZguzNDzXa0kfGCI30pXYple7dhnCXfWnOsM=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=sIeU94nHS7eh/lf6Rni5r8MdjBrJRWt1jD4knN0/bJT25PUbNlZsm+8poqH/QaAbS NKOG+3fIq4LXxhnwy1iiLMNpQ4Kpt5fuHugU1aPcfIFbj9vIOIKvtA6X0ZGE8OtF1q s1ciGqK9zfKHr8FJdJRwWQ48O8kQPukj6hQZhQPZzD1gIQrAwJEbUXPlPq/ML2ROWs jN/OJhhnhf6RNiu8621/A0bdkYnXZRYK9/RijUIBea+4yrOPOaZkSqToGtSCA0Uyv7 9Tf10ac/LI8CrnFAXRc/JNoKG7upkq82legmyrC0czLdWxQeXVvMU3m1Zzz4cPCcmc Aml+W6YiQygAA== To: Lars Ingebrigtsen , 51038@debbugs.gnu.org From: John Cummings Subject: bug#51038: 27.2; ELPA certificate not trusted on Windows Message-ID: In-Reply-To: <87ee8yec93.fsf@gnus.org> References: <6043-1633446864-843899@sneakemail.com> <87ee8yec93.fsf@gnus.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: Michael Hoffman X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: John Cummings Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Lars Ingebrigtsen wrote: > John Cummings john@rootabega.net writes: > > > I believe that this is what you should expect if you are using gnutls > > 3.6.12 and you have the expired X3 root cert in your trust store. > Yup. So this isn't a problem on Savannah. Quoting: > > ----------------------------------------------------- > > From: Bob Proulx INVALID.NOREPLY@gnu.org > certificates (not a Savannah problem) then please upgrade your client to = the > latest security patches for your system. Is there a recommended way to do that for the Windows builds of Emacs publi= shed to ftp.gnu.org? From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 08:57:39 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 12:57:39 +0000 Received: from localhost ([127.0.0.1]:42944 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY6UN-000746-8N for submit@debbugs.gnu.org; Wed, 06 Oct 2021 08:57:39 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37484) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY6UJ-00073t-T1 for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 08:57:37 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:49364) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mY6UE-0000vX-AH; Wed, 06 Oct 2021 08:57:30 -0400 Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:3553 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mY6UC-0005WK-VJ; Wed, 06 Oct 2021 08:57:29 -0400 Date: Wed, 06 Oct 2021 15:57:23 +0300 Message-Id: <83ee8y2tvw.fsf@gnu.org> From: Eli Zaretskii To: John Cummings In-Reply-To: (message from John Cummings on Wed, 06 Oct 2021 10:54:01 +0000) Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows References: <6043-1633446864-843899@sneakemail.com> <87ee8yec93.fsf@gnus.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 51038 Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, larsi@gnus.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Wed, 06 Oct 2021 10:54:01 +0000 > From: John Cummings > Cc: Michael Hoffman > > > > I believe that this is what you should expect if you are using gnutls > > > 3.6.12 and you have the expired X3 root cert in your trust store. > > Yup. So this isn't a problem on Savannah. Quoting: > > > > ----------------------------------------------------- > > > > From: Bob Proulx INVALID.NOREPLY@gnu.org > > certificates (not a Savannah problem) then please upgrade your client to the > > latest security patches for your system. > > Is there a recommended way to do that for the Windows builds of Emacs published to ftp.gnu.org? I don't understand: you want to do what for that build? From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 09:12:27 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 13:12:27 +0000 Received: from localhost ([127.0.0.1]:42954 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY6ih-0007Qs-1O for submit@debbugs.gnu.org; Wed, 06 Oct 2021 09:12:27 -0400 Received: from mail-4018.proton.ch ([185.70.40.18]:12750) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY6ib-0007QY-PS for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 09:12:26 -0400 Date: Wed, 06 Oct 2021 13:12:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rootabega.net; s=protonmail; t=1633525935; bh=vo2lk8qWI6jW0EKS8zhin4QBs+7+Zipy5fIliZd+I5E=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=dfIYlupoqjWUFj5+RfDWa+w8jpn1+lUC0RJ+NrLC3GhsUpdMQm7nHc1pwHFiNyPb3 yE83mWf1Cx5ydZ3BMi9clGOyDzGOpXhiDLSndqOTMiTOSYkC1+N2g2qfCrgD+5zCTX 3sdPfG+Odu/VTyyCf1g9fyMfdnV6nvE0VcH3dP0OboZkjoHYKtjS6EgGd2NbZjKgWv HIqKYUqZX8AH32BUC9cNEuFyvDE1G1b3QWLCvlvt6cassGr5fy0Y+8N8oH9ZIIqZXd rHXwznErP7mRpFvBCSwRMb5me87Z6gjVh7jZ70U+sHMhkuhNM/5UoV29Oo9se51FHD 0LHDzHt+UVx5Q== To: larsi@gnus.org, Eli Zaretskii From: John Cummings Subject: bug#51038: 27.2; ELPA certificate not trusted on Windows Message-ID: In-Reply-To: <83ee8y2tvw.fsf@gnu.org> References: <6043-1633446864-843899@sneakemail.com> <87ee8yec93.fsf@gnus.org> <83ee8y2tvw.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: John Cummings Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii wrote: >> Date: Wed, 06 Oct 2021 10:54:01 +0000 >> From: John Cummings >> Cc: Michael Hoffman >> >> > > I believe that this is what you should expect if you are using gnutl= s >> > > 3.6.12 and you have the expired X3 root cert in your trust store. >> > Yup. So this isn't a problem on Savannah. Quoting: >> > >> > ----------------------------------------------------- >> > >> > From: Bob Proulx INVALID.NOREPLY@gnu.org >> > certificates (not a Savannah problem) then please upgrade your client = to the >> > latest security patches for your system. >> >> Is there a recommended way to do that for the Windows builds of Emacs pu= blished to ftp.gnu.org? > >I don't understand: you want to do what for that build? Upgrade the client -- emacs and gnutls -- to work with this trust chain. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 09:36:15 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 13:36:15 +0000 Received: from localhost ([127.0.0.1]:42976 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY75i-00081D-Uy for submit@debbugs.gnu.org; Wed, 06 Oct 2021 09:36:15 -0400 Received: from eggs.gnu.org ([209.51.188.92]:47412) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY75f-00080w-5N for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 09:36:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51064) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mY75X-0006MF-Ie; Wed, 06 Oct 2021 09:36:05 -0400 Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:2085 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mY74q-0004hm-4B; Wed, 06 Oct 2021 09:35:35 -0400 Date: Wed, 06 Oct 2021 16:35:12 +0300 Message-Id: <83bl422s4v.fsf@gnu.org> From: Eli Zaretskii To: John Cummings In-Reply-To: (message from John Cummings on Wed, 06 Oct 2021 13:12:14 +0000) Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows References: <6043-1633446864-843899@sneakemail.com> <87ee8yec93.fsf@gnus.org> <83ee8y2tvw.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 51038 Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, larsi@gnus.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Wed, 06 Oct 2021 13:12:14 +0000 > From: John Cummings > Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com > > >I don't understand: you want to do what for that build? > > Upgrade the client -- emacs and gnutls -- to work with this trust chain. That's not how this stuff works on MS-Windows. There, the certificates are stored by the system, and GnuTLS (and Emacs) just use what the system stores. See gnutls_certificate_set_x509_system_trust. So you need to update your Windows system, and then everything will work. Of course, you can install a cert bundle from someplace and tell GnuTLS to use it. But I'm not sure this is easy on Windows, or that it would override the system's trust store, or even where to download that from. And in any case, the fix is again on your system, not in Emacs or in GnuTLS: those don't come with any certificate DB, at least not AFAIK. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 09:40:08 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 13:40:09 +0000 Received: from localhost ([127.0.0.1]:42981 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY79U-00087L-Hg for submit@debbugs.gnu.org; Wed, 06 Oct 2021 09:40:08 -0400 Received: from mail-4018.proton.ch ([185.70.40.18]:19863) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY79L-00086c-Jk for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 09:40:07 -0400 Date: Wed, 06 Oct 2021 13:39:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rootabega.net; s=protonmail; t=1633527592; bh=DyM0LX5IfSaKHCzXWtBC1a/lOrzaAU66HmN6hVXGnto=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=tsZ7NWMJTyfZ3HAInwNdZ6gG6vZSJnTnoaF7zo972w4VEtTi4d21NPAl706lpdG8K hYDBRHSMcJJUvlrc753nzZyeqiCtIvxbyl5bsJDstbIE9X9CZ4gdi0IUe16oEtnoT7 vXlS4EXeOF6Obt5+bRrrS+2jDDeYAscfp/nXTVKxBmbvwUAjclc/vdAsEWqwCLCFev NrDAiKk4LitIb/hZvAx6Kyc1/1d9LYsyWkzuQ8zES/lLEcLji+730oPvm53OcTnjjX q3nw+9ltWJYHJjI+kur0+EcGrAolnhtss0EIqmBeITUobQCybhpaBcrJCBC35+a6Pr gIe/0undfdMGQ== To: Eli Zaretskii From: John Cummings Subject: bug#51038: 27.2; ELPA certificate not trusted on Windows Message-ID: In-Reply-To: <83bl422s4v.fsf@gnu.org> References: <6043-1633446864-843899@sneakemail.com> <87ee8yec93.fsf@gnus.org> <83ee8y2tvw.fsf@gnu.org> <83bl422s4v.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, larsi@gnus.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: John Cummings Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii wrote: >> Date: Wed, 06 Oct 2021 13:12:14 +0000 >> From: John Cummings >> Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com >> >> >I don't understand: you want to do what for that build? >> >> Upgrade the client -- emacs and gnutls -- to work with this trust chain. > > That's not how this stuff works on MS-Windows. That's how it works on any system running gnutls 3.6.12, no? The bug in gnutls is fixed in 3.6.14. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 10:50:39 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 14:50:39 +0000 Received: from localhost ([127.0.0.1]:45106 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY8Ff-0004Bh-CM for submit@debbugs.gnu.org; Wed, 06 Oct 2021 10:50:38 -0400 Received: from mail-eopbgr660134.outbound.protection.outlook.com ([40.107.66.134]:36030 helo=CAN01-QB1-obe.outbound.protection.outlook.com) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY7QW-0000eN-Ln for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 09:57:46 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gPrBaVKM69FxsOhRvR0nPqLVpt3rL7AtQTzFYnBCQ5svhlgfUCrGUtTN1m0cFSfPZcsvI9HQy+vHZwh30xUbQPcAsL9JTdFNCnQ12nfVzPUBO0loJSl6NvFr62ooJEe3JBqXFnV0LlMEDhhKwKvW43kK9sZddiHiEwX+GOGo7BFTJwOwMXkabuV1ClOtcbkOldPQ25r1tQiGIvRZOZ3Cp6dbPUWHW0IGa1N3ZsGKr0pPC5xR5Ll4tlzFSmLfmb0IbK5XCnctdAkhv6HTQmg74BMYyJY/IiyKA6Lof82Rt72Gmh9k8ivSca6z/MtUkaZKrWYy8NjZd3TknuOu4Z8hjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CkEmliJz20AxBmExKw0KmfhGdvbx9D9TU002EFbksCg=; b=CNhxH9RFCZn+MHHR4PulF9vC1mJoZGn8sJFeTHUeMp+toIkW3hQjQTSOG2asNQSDrMhjYOaIoH4hgMZ03R78Hi0VehjrH0rfY4b7HIh/6Ha4EZg+k0SflXwGPqtRPGN9vulBIyoldlCI2uJLH4Qys1D9gEEJ06GQ+gKtlXAvLkw6N3lOg1nQ/sCvpOclrm26eVZFD7B6L+uVNhU6z7K58fqMrcJZiyEp1a3GymeozCSnGgnxqKil9ta8318Z1qOHkhZAbSFLAexbHeSe7LWbZyj+W7ElseHcfVdbe4vUfFOJup85hRiChiYxbVhGZ9C0D8trWBtmI2nXgJqs/ENcFQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=utoronto.ca; dmarc=pass action=none header.from=utoronto.ca; dkim=pass header.d=utoronto.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=utoronto.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CkEmliJz20AxBmExKw0KmfhGdvbx9D9TU002EFbksCg=; b=PgsGZdJ50ECEWKMsMXp0YqRWURsAcfImgzzMpUS1DSCOdXckBwkLuuOjdTnvcasXVl/QKA8yJLQJxaTcWiSBgvs3os77EkcZulpyz22UM4WhV5G7Wi6AdlPPR2hXjfZNnAvTxpH9nT276RoG1W0NCYdx5cuhkhe02K7gG6U1vU4= Authentication-Results: debbugs.gnu.org; dkim=none (message not signed) header.d=none;debbugs.gnu.org; dmarc=none action=none header.from=utoronto.ca; Received: from YQXPR01MB5617.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:2f::16) by QB1PR01MB2532.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:3e::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18; Wed, 6 Oct 2021 13:57:38 +0000 Received: from YQXPR01MB5617.CANPRD01.PROD.OUTLOOK.COM ([fe80::f462:d5e0:c99a:da6]) by YQXPR01MB5617.CANPRD01.PROD.OUTLOOK.COM ([fe80::f462:d5e0:c99a:da6%8]) with mapi id 15.20.4587.019; Wed, 6 Oct 2021 13:57:38 +0000 X-Gm-Message-State: AOAM531VE5e0O22MvfF5wqoLDyIAjfdeyscwkSWOYHofubGEMSMxwM2H FGym0qIc0ddeNtCe3cMNKGwpMW9K3orXni21hwY= X-Google-Smtp-Source: ABdhPJxEBmYN+Y/fWgbwrWlBkud8T77Wetvhz9R3ihaUigo4Xv0X0N1Zq37wy7MvFpscrhPw/9kxEDAxgeFNacKZoS0= X-Received: by 2002:a63:bf07:: with SMTP id v7mr20672009pgf.333.1633528653694; Wed, 06 Oct 2021 06:57:33 -0700 (PDT) References: <6043-1633446864-843899@sneakemail.com> <87ee8yec93.fsf@gnus.org> <83ee8y2tvw.fsf@gnu.org> <83bl422s4v.fsf@gnu.org> In-Reply-To: From: Michael Hoffman Date: Wed, 6 Oct 2021 09:57:21 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows To: "John Cummings john-at-rootabega.net |emacs-hoffman|" Content-Type: multipart/alternative; boundary="000000000000224fc005cdaf879c" X-ClientProxiedBy: MW4PR03CA0328.namprd03.prod.outlook.com (2603:10b6:303:dd::33) To YQXPR01MB5617.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:2f::16) MIME-Version: 1.0 Received: from mail-pf1-f176.google.com (209.85.210.176) by MW4PR03CA0328.namprd03.prod.outlook.com (2603:10b6:303:dd::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18 via Frontend Transport; Wed, 6 Oct 2021 13:57:37 +0000 Received: by mail-pf1-f176.google.com with SMTP id g14so2451923pfm.1 for <51038@debbugs.gnu.org>; Wed, 06 Oct 2021 06:57:36 -0700 (PDT) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f91b5330-8d2b-4be7-bf72-08d988d1410b X-MS-TrafficTypeDiagnostic: QB1PR01MB2532: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: EYM4wztTj0foM5+LfiaO64+cl1HnhylGhCuQEUHQ5MblOe9Jhh0VfS17boEAJBFR0BHHiHLG6FevKLIrSNrIlEf4aysuOGp50+6OdcBgP7Dp3O1W07CNo2BZA5PGRFvrTax0MgbUT90algkrXp1ega0jsrZOBLwHcjQK/so3+AbJskkybgcOiEyZ8dKpWCkALFRd5jIjnFI1hAvbiBO7jCjXx3q5r/C+NAoSNrqSPn7mPMN13Hj1md8Tf3fnE4d0QzD2nZWYboFDwIIngdejAf56sm7Nh8ZV9xQTcBhlECJC/yzuuqKPvDisIks3o/iENmtfpOV8o7FIvpm6jBYormfRk6hgwCceKw3CI8TV1wHXdb+0cIckPnaUdIyNa/ZNYG93uQs5mDkboGzHfc6YwCd0FGNKrIEakj8/+aKzQtPXFd2R55oaMxBl0fconu4Xk8ONI6DBr8hipmXHaYRlH76YT6JEtXcwgBStpWlLoF2eMnRcjS375wJ6M+I69BybGQ/xam77mK9+AI9/SgtkPItVi7ID6x1PbjVp5Gfz7cjUL2vICxkRxgIO9IvmtfYH/7MEOQo9sPzXYY3Z6UrKIIqiveJZxy/qR951zsFkzcSA+UOsa6HOKz8S346y2tTtouVu7Xqy5TgpwICe6Mz+bJQgDOmWNF9i05lDM4T68RCkGfxkLg0TVNVTeB42KSAYIA7X4ph3Kzn/lYiu9rmpySyb9x/4zyKcvlYu9QHk3f/3GjYcuAJ/iA0xJr35HAFqHrn2xR/1IaqT6KaTit+YgBqtk9TByO1OeelS00w92Hs= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR01MB5617.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(52116002)(38100700002)(186003)(38350700002)(44832011)(6862004)(2906002)(66556008)(66476007)(26005)(55236004)(5660300002)(33964004)(66946007)(8676002)(508600001)(83380400001)(4326008)(9686003)(786003)(55446002)(8936002)(6666004)(86362001)(316002)(166002)(42186006); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?SUNkVzR6ekpNTGhpMENMWkFuN3VUaXU5TTBRVWNPeGJzSE8vNzQ3QUxoZ29L?= =?utf-8?B?b1F1REl6ZFBoa0VYU2ZnTDNScFVJaWdCVi9GMVBuMWt3N25zQmNRU3NvYUJ2?= =?utf-8?B?ZkNGRmhBelpHdEZyOG9ERURhUXZsTmp0SzBzN2VhUjBsbjJvYVVEZTNpSGZx?= =?utf-8?B?amZva2NCdTFON2s0VURBQUJlamZBYnh5REJESmlnSENlQ29Fak1sUE5jaTAx?= =?utf-8?B?enJsOGhNL0hwRG52VnRIaUxDT1YybUkvT1F5dmM2MHJHYk55RjVHRVErMmNK?= =?utf-8?B?di94V1B0ZGxLQlAxRWI0V3NNKzEyVVUyMGp5cWdzL0E1bXRFYSt3S0E1Qm84?= =?utf-8?B?QklLWVJ1ODQzK29NcUd2TlZORmMvTjdSSG51aFdqb0dWTGlVZE5JN1FSbVFQ?= =?utf-8?B?bnVERzBuUU5oeE11c05QVGF4QXdMWVgrdkk5b2RsN0ZaYUY4VHU0cmFBRWFO?= =?utf-8?B?dDU0S054WTFucGhmaVJTMXFmNlBxeFRyL1pZSkpMNjZtY1F6bGJkT2ZNZnhG?= =?utf-8?B?aXR1RXpXV0t5S2hhWExTMVQzRVJ6ejhmejRKRXl2bVJwWFAyZXd5L2h3QTcx?= =?utf-8?B?azIyN05tS2VZOWY1V0U3Ny9nUmtPQzB5WXFqQW9lTVRnb2x6dG82VFExSmg4?= =?utf-8?B?ckQxQVdmUWl3TGFMOFFxd2ZjSzFTRzVBTFJ0N3dPTWwreng2Sy9nZ3NWcnlX?= =?utf-8?B?Ri9MTjJ5MWY5Q09MZVFRTXI3Z09TWWZ2NHRPdFJpNG1RdVB3Uyt4ZDY2ZEJV?= =?utf-8?B?K095d2ZtMWpVcndreFY4TUc4TDVCMXpHUU43ZlN5TVdDMXM4Mjdpa3M2ekFG?= =?utf-8?B?RCs5M3N2V2ZLOW41YWZCYXJhU2pjZy8vOXROU2ZDYWZFNHBxQWhRU1dpT3Rq?= =?utf-8?B?cjQxbEYxTDl0WVF0SGFjSERISCtwQnhmU3Q2aEF4YmM2dDZXZzVlb1VxQVVs?= =?utf-8?B?OGVaOG5xQW5hL1F0ZmdCNURMczNWRlpibWdYZy83UHN6c05FbHZOSG5raE4w?= =?utf-8?B?bVNVdDRUU1hOSURWdlJZQnlNaUptOUhjVlpBalFRVVFpQUpNN05YTzJZYjRy?= =?utf-8?B?c1psWC96aWJrc1BzZ3FUanBYa1NUTXhkZjlUeTNhWTBpTklia0pMa3pMVWhC?= =?utf-8?B?dmtXanlJejJ5bGdSTTFGM0VrVHhkRFVOVnFwMDlMVjNlQUJzYUZpSVNnalFp?= =?utf-8?B?N3RCeUwzbm83NkVhT1drbVRXeElTbmd0MG8rS0VVK21IWC9NSU4zdkk1VDVy?= =?utf-8?B?S3BXdVJOUFdrUzkzVnZ0TXRWWXZza2hmbFhKS21ROFdqZnNnSGtiTXR0aVN1?= =?utf-8?B?MElDQWVGOGswVld5L2NaUmhDVHV6UGN5Q1lTdXRKSzhsSnJ1Wml5d0FjVUFo?= =?utf-8?B?Nk5KWlV2by9YTmZjc3hwU3pNUHpBbzJyQ2oxUW42Q2RkaHFvMHdzOWZxTmVV?= =?utf-8?B?TGhSbVp0cDRVc2Q3REtQQXRSWHp2cENzWUFBNHI2Vlp6UEZBbFJLc3k4M3do?= =?utf-8?B?dUcwOWd2WVowYktjSUZyQ3RDRGdlTlNtbHl2MFp3TWJ0cE5FN3NuWHlxdDVB?= =?utf-8?B?TFpvTzQyaVZKM1lZZjZCNnZVYUlwbEdKR3BETUNRNWI5Q2w4MGJOa09GT0JW?= =?utf-8?B?N3ZPWFJNSW5zMnRzd1dqQjRoWG5xbDlYVlBNYUtPL0Uyb0lRUGVSWlFlUHJG?= =?utf-8?B?THVHQzYyK2I5VU00WlhxNWVLL0lwTGpOWHZCNEpML3hrUGdVdGtNcEhWd0Jy?= =?utf-8?Q?q5CvDilmAdAZvsE3GmFqfB07CR3i5OxfQVI/7E/?= X-OriginatorOrg: utoronto.ca X-MS-Exchange-CrossTenant-Network-Message-Id: f91b5330-8d2b-4be7-bf72-08d988d1410b X-MS-Exchange-CrossTenant-AuthSource: YQXPR01MB5617.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2021 13:57:37.1164 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 78aac226-2f03-4b4d-9037-b46d56c55210 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: KknQXMvvYpNBm/LqjbLOq7sIp/3ZjHPpdgSEuZjO1EgDmL5H+EViEiN2nzOdsCQRoGSgZnMRks8ivi3kls6DgjlvB9gA0LDSiKnij54AtlE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2532 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 X-Mailman-Approved-At: Wed, 06 Oct 2021 10:50:34 -0400 Cc: 51038@debbugs.gnu.org, Eli Zaretskii , larsi@gnus.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --000000000000224fc005cdaf879c Content-Type: text/plain; charset="UTF-8" Thanks John for the detailed analysis. Windows Update reports my system is up to date. As I understand it: 1. My certificate store is valid. 2. Savannah's HTTPS responses are valid. 3. Emacs 27.2 per se's behavior is valid. 4. GnuTLS 3.6.12 has a bug that produces incorrect results even in presence of 1-2. 5. Emacs 27.2 Windows binaries from ftp.gnu.org include GnuTLS 3.6.12, which has this bug. The Emacs 28 pretest Windows binaries from earlier in the year include GnuTLS 3.6.15. I hope this means everything will work as expected on the final Emacs 28.1 Windows binaries. --000000000000224fc005cdaf879c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks John for the detailed analysis. Windows Update repor= ts my system is up to date. As I understand it:

=
1. My certificate store is valid.
= 2. Savannah's HTTPS responses are valid.
3. Emacs 27= .2 per se's behavior is valid.
4. GnuTLS 3.6.12 has = a bug that produces incorrect results even in presence of 1-2.
5. Emacs 27.2 Windows binaries from ftp.gnu.org include GnuTLS 3.6.12, which has this bug.

The Emacs 28 pretest Windows binaries= from earlier in the year include GnuTLS 3.6.15. I hope this means everything will work as expected on the= final Emacs 28.1 Windows binaries.
--000000000000224fc005cdaf879c-- From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 11:36:44 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 15:36:44 +0000 Received: from localhost ([127.0.0.1]:45342 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY8yK-0005dt-4I for submit@debbugs.gnu.org; Wed, 06 Oct 2021 11:36:44 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48990) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY8yG-0005dc-7I for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 11:36:42 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58460) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mY8yA-0003Vh-B9; Wed, 06 Oct 2021 11:36:34 -0400 Received: from 84.94.185.95.cable.012.net.il ([84.94.185.95]:1518 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mY8y9-0001AH-U7; Wed, 06 Oct 2021 11:36:34 -0400 Date: Wed, 06 Oct 2021 18:36:26 +0300 Message-Id: <83a6jm2mit.fsf@gnu.org> From: Eli Zaretskii To: John Cummings In-Reply-To: (message from John Cummings on Wed, 06 Oct 2021 13:39:50 +0000) Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows References: <6043-1633446864-843899@sneakemail.com> <87ee8yec93.fsf@gnus.org> <83ee8y2tvw.fsf@gnu.org> <83bl422s4v.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 51038 Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, larsi@gnus.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Wed, 06 Oct 2021 13:39:50 +0000 > From: John Cummings > Cc: larsi@gnus.org, 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com > > > That's not how this stuff works on MS-Windows. > > That's how it works on any system running gnutls 3.6.12, no? The bug > in gnutls is fixed in 3.6.14. Maybe we aren't talking about the same bug, then. AFAIU, the problem is supposed to be solved by updating the cert bundle, isn't that so? If the bug is in GnuTLS, then simply install a newer one from the MSYS2 site, and that's it. From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 06 12:13:47 2021 Received: (at 51038) by debbugs.gnu.org; 6 Oct 2021 16:13:47 +0000 Received: from localhost ([127.0.0.1]:45352 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY9YB-0006d9-HT for submit@debbugs.gnu.org; Wed, 06 Oct 2021 12:13:47 -0400 Received: from mail-4018.proton.ch ([185.70.40.18]:40748) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mY9Y7-0006cn-HD for 51038@debbugs.gnu.org; Wed, 06 Oct 2021 12:13:46 -0400 Date: Wed, 06 Oct 2021 16:13:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rootabega.net; s=protonmail; t=1633536816; bh=Cux8XzvRTIMiLEwZkwI7PG4USALd+krnVIYZmaaUaL8=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=YL/AUw1KH6wLP3Y9jQ09toCjqp1L3zA0vJjY/5eyF+TtHSif9mqDMZ5mu9wpt5Xej 4m2wruTzdXvutqj8LIweKrh1JpTSXXBtfqypID3Ofz2kutOwbuOqj29dJgHdXww880 LG2CXgpgibwn2oM0l8NpOm1V7ht0BpSLXAZkbwz8lMxLb+M+j2fFAQIVqxNafhOa3E +1JTvkPWq5gx2qJFTkYReis0cEMxjUHNK3Tm2NtXbuMAqhqYU8bSnuBFccQ6qUkw0M rFyoJq4AFkTi21/q4uMLXixgwHs2HGGjTVb9MOumU7IoyJ7gMs6XB0Dfs18dqsh0rE R95rK6CuipfXA== To: Eli Zaretskii From: John Cummings Subject: bug#51038: 27.2; ELPA certificate not trusted on Windows Message-ID: In-Reply-To: <83a6jm2mit.fsf@gnu.org> References: <6043-1633446864-843899@sneakemail.com> <87ee8yec93.fsf@gnus.org> <83ee8y2tvw.fsf@gnu.org> <83bl422s4v.fsf@gnu.org> <83a6jm2mit.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, larsi@gnus.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: John Cummings Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii wrote: >> Date: Wed, 06 Oct 2021 13:39:50 +0000 >> From: John Cummings >> Cc: larsi@gnus.org, 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com >> >> > That's not how this stuff works on MS-Windows. >> >> That's how it works on any system running gnutls 3.6.12, no? The bug >> in gnutls is fixed in 3.6.14. > Maybe we aren't talking about the same bug, then. AFAIU, the problem > is supposed to be solved by updating the cert bundle, isn't that so? In my understanding, the root cause is that GnuTLS focuses on the expired root without considering alternate paths, so removing the expired root hides the behavior, but GnuTLS would still need fixing. > If the bug is in GnuTLS, then simply install a newer one from the > MSYS2 site, and that's it. That makes sense to me as one possible way to correct this. It seems like we all agree that the 27.2 Windows build on ftp.gnu.org has this "potential for undesirable behavior" (if the term "bug" doesn't sit right with anyone.) I thought this bug report would end up serving to: 1. acknowledge the behavior in that specific binary 2. list fixes/workarounds like updating GnuTLS individually, or modifying the system trust store 3. communicate that this behavior will no longer happen in the version 28 binaries (once released), for those who might not be in a position to update GnuTLS independently, or would rather wait for an updated binary with deps. I understand that the Windows binaries are a volunteer courtesy, so if nothing else, I think users of that binary would benefit from some formal thing telling them that this behavior exists and will eventually be changed. Hopefully that's already accomplished, and people will just find this bug if they search, and understand the situation with respect to the v 28 Windows binaries. From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 24 12:49:42 2021 Received: (at 51038) by debbugs.gnu.org; 24 Oct 2021 16:49:42 +0000 Received: from localhost ([127.0.0.1]:40651 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meggn-0008Jx-OR for submit@debbugs.gnu.org; Sun, 24 Oct 2021 12:49:42 -0400 Received: from mail-ot1-f50.google.com ([209.85.210.50]:39911) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meggm-0008Jj-26 for 51038@debbugs.gnu.org; Sun, 24 Oct 2021 12:49:40 -0400 Received: by mail-ot1-f50.google.com with SMTP id e59-20020a9d01c1000000b00552c91a99f7so11559266ote.6 for <51038@debbugs.gnu.org>; Sun, 24 Oct 2021 09:49:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=DJkyQVdDM2i3jEAvguEsCZqeqUQJXMgTDt70oTAr8e0=; b=Pn+5ew4W7ylERUGexLEcJiLh6z9rpt8zn6vrPMJLkdNoaU2gzGjD5gSQbCiYsAdieM kYrXU0lFBokn12HUaRlS269tSLyV4CUca+7eqdLwMxqYC08ectZ/WjRCzlDFa4T/WgEY IOHjD0/hZINusyKwVSHNg9Po25jurIwt+Z+HlrnYzmo82lHlZRHjFHJeZrQ7ZG4PjeGr KOjUNIyRwm5ycV0kCbyU6j7iYpxF1SHwIgOgQgIGxSft56zulTe7277wxOh49QwD5MMS HOR47swXTmi7Um12bAi6NF/iDUgs9N3gNnuZ9ZeRlPxPl34aeWb0dGu6AHSUB3xcr15h EnFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=DJkyQVdDM2i3jEAvguEsCZqeqUQJXMgTDt70oTAr8e0=; b=EGBXDGZSthddXuuyS3R0RUTbl4hUBdF7Gi3oZNb571MjCiPua8dnvXmfbzUXgUujqX HSAWNvkNeO83TRocSd5f22uLx5hZmc/mtK7ETJZfECej7SoHvmiJRGydiu6DASByiy/k pUaQhEMxmLjZWkY/85k9SCESKgmVsywQH0CxteYSadFegcEvvmEbOsr0XVkSbHe5y0Vq QlqhSekBbsfECHHvKMSQYECaGYahVtktDHtbp+ykA+TC2f120HmHok/vLYXeLRJKZg0W pEuB+xlrbN2+R4Wfh3XhEcRmi827ef/u44HPJCjq8+BX8fJi1unXgvjmPcxiCur4gokT et+Q== X-Gm-Message-State: AOAM530az95ssxNwLsSY8ZMATz2Zvl3NO465CX1MdrSdyB2BMaV7VHzo ucIOmGxPFBs/bzGlKrJUZs7u46WJkcwlLfQTuWLbNoTQ4xs= X-Google-Smtp-Source: ABdhPJw/Ac/svXcyVCdXp/RfovPmP7GvqKYbBDjaiGgT1BhpzBvxPHZvNMllYjF8G7TVI5DUpnlKtJnhEN4tZ1A7TF8= X-Received: by 2002:a9d:20a3:: with SMTP id x32mr9260702ota.91.1635094174314; Sun, 24 Oct 2021 09:49:34 -0700 (PDT) MIME-Version: 1.0 From: Ioannis Kappas Date: Sun, 24 Oct 2021 17:49:26 +0100 Message-ID: Subject: bug#51038: 27.2; ELPA certificate not trusted on Windows To: Eli Zaretskii , john@rootabega.net Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, Lars Ingebrigtsen X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi all, doublep/eldev (the Elisp Development Tool) is just an example of a project that has been affected by this issue and has taken some time and serious effort to figure out what was going wrong: https://github.com/doublep/eldev/issues/55. The CI running the eldev test suit on GitHub Windows 2019 servers, which involved downloading packages from MELPA, suddenly started to fail one day when connecting to stable.melpa.org. The same tests passed on Linux/MacOs builds. I am sure there are many more other such instances, either projects or just users that are affected by it, and are perplexed with the current situation without having knowledge of the root cause. May I please argue that this should be at least acknowledged as an important issue with the latest official GNU emacs 27.2 binary MS-Windows release as advertised in the `GNU Emacs Download & Install page' @ https://www.gnu.org/software/emacs/download.html, under `Nonfree systems`->Windows: """GNU Emacs for Windows can be downloaded from a nearby GNU mirror; or the main GNU FTP server""" Where `GNU mirror points` to http://ftp.gnu.org/gnu/emacs/windows/emacs-27/, with the affected emacs 27.2 releases dated on 2021-Mar-31. The issue is that the *latest official Gnu Emacs windows binary releases*, as of today, at the official GNU Emacs download site are *bundled* with gnutls-3.6.12 which is susceptible to GnuTLS bug#1008 (titled as Handle expiration of AddTrust root certificate (urgent) -- https://gitlab.com/gnutls/gnutls/-/issues/1008) which refuses connections to sites with valid certificates whose issuer consist of dual certificates of which one has expired but the other is not-expired i.e. valid. As such, the official precompiled Emacs 27.2 Windows binaries cannot connect to these sites, which severely compromising Emacs functionality, with preventing Emacs connecting to package archives such as ELPA or MELPA being the most prevailing example. Thus, I advocate, that the latest official precompiled Gnu Emacs MS-Windows binaries have a serious issue (caused by a bug in the GnuTLS version they are bundled with), that either needs to be addressed or a workaround needs to be suggested somewhere in the download/install instructions. For completion I list the available options discussed in this thread/I can think of with any disadvantages I can think of: 1. Fix: Release new precompiled Emacs 27.2 binary versions to the official site bundled with a GnuTLS version that has GnuTLS#1008 fix, i.e. with version >= 3.6.14 (is this likely to be a release nightmare?) 2. Fix: Wait until the next release (I believe 28.x release is around the corner?). This leaves Emacs users which rely on the latest official build vulnerable; i.e. users that follow the official instructions and don't know what MSYS2 is or how to use it or can't be bothered -- this is probably the majority of nontechnical users -- or users in systems behind corporate firewalls that do not permit install of third party tools msys2/chocolately/scoop, or users in remote servers with preinstalled version of latest emacs version -- for example GitHub windows 2019 build/test farms. 3. Work around: Document the issue somewhere that the a prospective user can't miss (e.g. official download page or the readme document alongside the binaries, anything else?), with workarounds being 3.1 Update windows certificate store to remove expired certificate as mentioned in this thread (not sure how this would work, how do you users find the list of the ones that expired? Does it require special permission to remove certs? I suppose `Let's encrypt' issuers certificates are not the only one affected, they may be more either now or down the line). 3.2 use MSYS2 to build (pickup?) a 27.2 version with the latest GnuTLS lib (or chocolatey, or scoop perhaps if such version exist there). Though user might not have the technical background to do so or the host is restricted in respect to the tools that can be installed (systems behind corporate firewalls) or the target system is a server with limited access as to the choice of tools that can be installed (e.g. custom build Windows 2019 github server farms). 4 Work around: the same as #3 but without updating instructions about the problem or how to fix it. Leaves users who rely on the latest official releases without knowledge of this issue in the most vulnerable and perplexed for them situation. Thank you From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 24 13:11:38 2021 Received: (at 51038) by debbugs.gnu.org; 24 Oct 2021 17:11:38 +0000 Received: from localhost ([127.0.0.1]:40665 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meh22-0000Pa-A5 for submit@debbugs.gnu.org; Sun, 24 Oct 2021 13:11:38 -0400 Received: from eggs.gnu.org ([209.51.188.92]:57824) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meh21-0000PN-1p for 51038@debbugs.gnu.org; Sun, 24 Oct 2021 13:11:37 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40058) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1meh1v-0002pg-DW; Sun, 24 Oct 2021 13:11:31 -0400 Received: from [87.69.77.57] (port=1837 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1meh1l-0004vs-NY; Sun, 24 Oct 2021 13:11:24 -0400 Date: Sun, 24 Oct 2021 20:11:13 +0300 Message-Id: <83mtmy2vri.fsf@gnu.org> From: Eli Zaretskii To: Ioannis Kappas In-Reply-To: (message from Ioannis Kappas on Sun, 24 Oct 2021 17:49:26 +0100) Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows References: X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 51038 Cc: john@rootabega.net, 51038@debbugs.gnu.org, larsi@gnus.org, emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Ioannis Kappas > Date: Sun, 24 Oct 2021 17:49:26 +0100 > Cc: 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, > Lars Ingebrigtsen > > Thus, I advocate, that the latest official precompiled Gnu Emacs > MS-Windows binaries have a serious issue (caused by a bug in the > GnuTLS version they are bundled with), that either needs to be > addressed or a workaround needs to be suggested somewhere in the > download/install instructions. AFAIU, this issue is not with Emacs, it's with GnuTLS. So all you need is download and install a newer GnuTLS, where this problem was fixed, in place of the old one. Emacs should then work with that GnuTLS; there's no need to rebuild Emacs itself. If you already tried that and it didn't work, please tell the details. From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 24 14:21:18 2021 Received: (at 51038) by debbugs.gnu.org; 24 Oct 2021 18:21:18 +0000 Received: from localhost ([127.0.0.1]:40795 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mei7S-0000Ib-6A for submit@debbugs.gnu.org; Sun, 24 Oct 2021 14:21:18 -0400 Received: from mail-ot1-f54.google.com ([209.85.210.54]:45841) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mei7N-0000IL-Du for 51038@debbugs.gnu.org; Sun, 24 Oct 2021 14:21:17 -0400 Received: by mail-ot1-f54.google.com with SMTP id l16-20020a9d6a90000000b0054e7ab56f27so11696947otq.12 for <51038@debbugs.gnu.org>; Sun, 24 Oct 2021 11:21:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DoNq05WD7AT+AIMfgpQGk9HGns1gE4+i1hcgz7p6z48=; b=SQz6EHEETzO+/UTc1SliZLBApwza/ZGmapAM2axdJAgnask/Cuu4z4YH/NS32mIeX+ DUrBKvGI3WrmRBAm5BU1QaUWhAl/IngALTQUljCYbK0P3lOzRHFz5TdvfxarES2/X3ql eLvfBjf9A5EACQnT4CoN59aFGv+m09rn4oxpT/1jK4rsf64syDBZ3mrLbV8w78l5QRCp +mRUgwac0Zvm7I02N8Bvqy1qS373rE/IgPTqsRgvf3X+yXAu2lREV6nMdpHNST5L5kXu 8kS4o5xPusf+QXpWxPba1lONww/TFCG9clmv4n1OQQUAfFopB6np0FNldmT6HjwH/3U6 BKrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DoNq05WD7AT+AIMfgpQGk9HGns1gE4+i1hcgz7p6z48=; b=CPqBlEM1EjLKLBCGnzXHnTz2wDQlXEjGGvg8z8irbiGmODkk416QQFF5zCMkjODFkO APhgPtrEu68YVCbWWLaS+cRi78JQU9kzbO9LEndtXo5dLahf5Gd4BojtbbHCfmYEJkoJ 7fTXoDaZO4y/xVHEHWRZYEs1DE0dAWutHebh1fDn0TvzKUDa/POOA9CIQj0QCxi/9Nyf REVXIF3ob94Fj4tIFPBAncGHv6BAlhwAXf3F5LyU1yZlhx9dhN0prJbreppBOOLj76JR dzNunFQa2q+ecxsGWj/jRDfMvKhqOeISxdYGo3hZCmO78rkZu1QjRgNY00PqI9+XHgZ2 uftg== X-Gm-Message-State: AOAM531RLx9OvrsOFph2Iw+Ebljp7QxMw+/BbsRqrHl774dv2vLSN8BS E6eDOXgCbgYC/JnjMaM+y69Ica3HMCUtyx/5kps= X-Google-Smtp-Source: ABdhPJyKia64vKukXvdPHwwr0WYeuE7s1zQvodKORZMqlUcY+KMbNKCDDHsU5Oo+PrhesFlbWhlrmcXAeE8zUSmSfOM= X-Received: by 2002:a9d:588d:: with SMTP id x13mr10272130otg.248.1635099667813; Sun, 24 Oct 2021 11:21:07 -0700 (PDT) MIME-Version: 1.0 References: <83mtmy2vri.fsf@gnu.org> In-Reply-To: <83mtmy2vri.fsf@gnu.org> From: Ioannis Kappas Date: Sun, 24 Oct 2021 19:21:00 +0100 Message-ID: Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: john@rootabega.net, 51038@debbugs.gnu.org, Lars Ingebrigtsen , emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Eli, On Sun, Oct 24, 2021 at 6:11 PM Eli Zaretskii wrote: > > Thus, I advocate, that the latest official precompiled Gnu Emacs > > MS-Windows binaries have a serious issue (caused by a bug in the > > GnuTLS version they are bundled with), that either needs to be > > addressed or a workaround needs to be suggested somewhere in the > > download/install instructions. > > AFAIU, this issue is not with Emacs, it's with GnuTLS. So all you > need is download and install a newer GnuTLS, where this problem was > fixed, in place of the old one. Emacs should then work with that > GnuTLS; there's no need to rebuild Emacs itself. > > If you already tried that and it didn't work, please tell the details. (apologies for being pedantic here, just want tom make sure that any difference in opinion become clear) before going into the details of a workaround, my argument is that this is an issue with the precompiled binaries of the latest official Gnu Emacs release at the official ftp site. If a user or process installs today these binaries on their system, Emacs will not work to its full potential. Furthermore, the user will not be aware why the connection to the elpa archive fails nor of a potential work around. I consider this to be a major issue with the precompiled binaries prepared by the Gnu Emacs projects, that they don't work out of the box and likely to leave the user/system in a perplexed/volnurable state. I believe you are saying that there is no issue with the latest official precompiled Gnu Emacs Windows release (say at http://ftp.gnu.org/gnu/emacs/windows/emacs-27/emacs-27.2-x86_64.zip), because the error is coming from libgnu-3.6.12, a library that Emacs depends on, and not from the Emacs code. May I point out that libgnu-2.6.12 ships in emacs-27.2-x86_64.zip under bin/libgnutls-30.dll, and thus the responsibility to the maintainer of the package to fix any shortfalls IMHO? Currently the official instructions to install the latest Gnu Emacs release from the precompiled binaries from the official ftp site, install a version of Emacs which is impaired, and wont work to its full potential out of the box for any user. We need to either fix this so it works out of the box, provide official instructions how to work around it, or provide an official note that this is broken. Letting users being unaware and thus vulnerable to the current behaviour IMHO is suboptimal. --- With regards to the suggested workaround, on my Windows machine 1. I've downloaded and unpacked http://ftp.gnu.org/gnu/emacs/windows/emacs-27/emacs-27.2-x86_64.zip to a local directory. 2. Looking for the GnuTLS precompiled version for windows, I landed on this page: https://www.gnutls.org/download.html 2.1 There is a latest w64 version on gitlab link at https://gitlab.com/gnutls/gnutls/builds/artifacts/3.7.2/download?job=MinGW64.DLLs that redirects to a 404. 2.1.1 Trying to find the artifacts by going to https://gitlab.com/gnutls/gnutls -> CI/CD -> Pipelines -> click on pipeline ID (in my case #392652428)->Jobs->mingw64/archive->Browser->Win64-build->bin/libgnutls-30.dll->Download (quite a mouthful) and replace libgnutls-30.dll with it works. Which i find it a bit too involved, especially for new users regardless even if they are magically aware of the root issue? Thanks! From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 24 14:44:29 2021 Received: (at 51038) by debbugs.gnu.org; 24 Oct 2021 18:44:29 +0000 Received: from localhost ([127.0.0.1]:40876 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meiTs-00035Q-PK for submit@debbugs.gnu.org; Sun, 24 Oct 2021 14:44:28 -0400 Received: from quimby.gnus.org ([95.216.78.240]:47240) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meiTr-00035E-6Q for 51038@debbugs.gnu.org; Sun, 24 Oct 2021 14:44:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fCdsuBo2YSpUE2Bg5ad6cr0WI9Djo5oAgsPm2s/w7lE=; b=IeGGzSxOZvlqvhNxtqQiSJFx6A SG7uF/Bpp+b7WgW1JLA0NG7sn0Q9D1dlEMswzhmIaBeJIKTThRw1TE+3+dzVTJuMy12n7Wgmo8mn0 WyQFlhR2CYPVuw6Yhx/zeBjsiGsTvY2lkVaTwQNpGqFp3byg1rsFkKfOZJt9E182Wfgw=; Received: from [84.212.220.105] (helo=elva) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1meiTi-0001Zt-0R; Sun, 24 Oct 2021 20:44:20 +0200 From: Lars Ingebrigtsen To: Ioannis Kappas Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows References: <83mtmy2vri.fsf@gnu.org> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGPC/xhBQAAACBj SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAALVBMVEUEBQcqLwsUKA5K TwpdawyRoQu1yAgaKCoxPjxcXWGKio0xTBRvjg3U3Af////i4YOuAAAAAWJLR0QOb70wTwAAAAd0 SU1FB+UKGBE4IRNSIqIAAAGmSURBVDjL1VI9T8NADL16CWz1pVuWnCtUpE5pyg9AhV8A7cRIsyGd uqRsiKXNVjER/gASW4EtIx8TI4z5LzhpSi8lYeeGk+VnPz+/OyH+xZFuLQSyBmh7VA20ht4vOiCm 2QtOtvOkkAE4GPwCKOdArJnRq1YMfs0qIDZqrSshJldZpOHaqAl3tLUbZ4Clo6kB7F9G8/heWMKy xH18M4+meZUQnbvb23hhRYsILjmKH+4eFqtxetXJYkLrD+NzrMrHPDev2oMZw7DkVH53ZuEs1Ea+ u8yd6HC1YQmHSjVXod7iJigKJ9tD5aa7fNxNSaNpiF8zQWk3CHVHi0ZDYVcibr0tqwFgCVQ8fdmj qgNGXPqlMMl4MiEulQUwOT0CqyVpAOQyIJ0E3YYkZVA9EtsrWy9ISFKZHZQkCp1B1qFo3cFbq6P3 0yU6fhlQrmgPz8aO37f5f6IxHND+GAWDV7Qli0VcAwrt5C1IP9H2+x5mphRA27d7x0H6hU/+kedt HAb28/D5Ig0Ol/0TzyX3x0TVRM8epaPz41O7ZLniFuf5Yjzu96AAvgG1IlSwfoWYSgAAACV0RVh0 ZGF0ZTpjcmVhdGUAMjAyMS0xMC0yNFQxNzo1NjozMyswMDowMF2Mw2EAAAAldEVYdGRhdGU6bW9k aWZ5ADIwMjEtMTAtMjRUMTc6NTY6MzMrMDA6MDAs0XvdAAAAAElFTkSuQmCC Date: Sun, 24 Oct 2021 20:44:17 +0200 In-Reply-To: (Ioannis Kappas's message of "Sun, 24 Oct 2021 19:21:00 +0100") Message-ID: <875ytm460u.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Ioannis Kappas writes: > before going into the details of a workaround, my argument is that > this is an issue with the precompiled binaries of the latest official > Gnu Emacs release at the official ftp site. Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 51038 Cc: john@rootabega.net, 51038@debbugs.gnu.org, Eli Zaretskii , emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ioannis Kappas writes: > before going into the details of a workaround, my argument is that > this is an issue with the precompiled binaries of the latest official > Gnu Emacs release at the official ftp site. Yes, if somebody could build a new version of those (with an updated version of the gnutls libraries), that'd be nice. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 24 14:51:01 2021 Received: (at 51038) by debbugs.gnu.org; 24 Oct 2021 18:51:01 +0000 Received: from localhost ([127.0.0.1]:40905 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meia7-0005Pr-S0 for submit@debbugs.gnu.org; Sun, 24 Oct 2021 14:51:01 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43388) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meia6-0005Pb-GJ; Sun, 24 Oct 2021 14:50:54 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:42598) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1meia0-000119-IS; Sun, 24 Oct 2021 14:50:48 -0400 Received: from [87.69.77.57] (port=3992 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1meia0-0006HG-3S; Sun, 24 Oct 2021 14:50:48 -0400 Date: Sun, 24 Oct 2021 21:50:37 +0300 Message-Id: <83h7d62r5u.fsf@gnu.org> From: Eli Zaretskii To: Ioannis Kappas In-Reply-To: (message from Ioannis Kappas on Sun, 24 Oct 2021 19:21:00 +0100) Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows References: <83mtmy2vri.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 51038 Cc: john@rootabega.net, 51038@debbugs.gnu.org, larsi@gnus.org, emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 51038 notabug thanks > From: Ioannis Kappas > Date: Sun, 24 Oct 2021 19:21:00 +0100 > Cc: john@rootabega.net, 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, > Lars Ingebrigtsen > > (apologies for being pedantic here, just want tom make sure that any > difference in opinion become clear) I wasn't aware that we are having differences of opinions here. > before going into the details of a workaround, my argument is that > this is an issue with the precompiled binaries of the latest official > Gnu Emacs release at the official ftp site. If a user or process > installs today these binaries on their system, Emacs will not work to > its full potential. Furthermore, the user will not be aware why the > connection to the elpa archive fails nor of a potential work around. I > consider this to be a major issue with the precompiled binaries > prepared by the Gnu Emacs projects, that they don't work out of the > box and likely to leave the user/system in a perplexed/volnurable > state. That is true, but users who download precompiled binaries are at the mercy of whoever prepared the package from the get-go, so this danger is not new, it is inherent to this way of installing Emacs. People who want to be completely in control should compile Emacs by themselves. We have instructions for that in nt/INSTALL.W64. > May I point out that libgnu-2.6.12 ships in emacs-27.2-x86_64.zip > under bin/libgnutls-30.dll, and thus the responsibility to the > maintainer of the package to fix any shortfalls IMHO? We don't have a maintainer at this time. This was (and is) a volunteer project, and the volunteer who produced that bundle stepped down. If you'd like to replace him, I'm sure this will be very welcome. Or maybe someone else will soon. > Currently the > official instructions to install the latest Gnu Emacs release from the > precompiled binaries from the official ftp site, install a version of > Emacs which is impaired, and wont work to its full potential out of > the box for any user. We need to either fix this so it works out of > the box, provide official instructions how to work around it, or > provide an official note that this is broken. Letting users being > unaware and thus vulnerable to the current behaviour IMHO is > suboptimal. There's a problem with the "we" part here. There's also a problem with providing instructions, because the fine details depend on what is already installed on the end-user's system. It's hard to provide a cookbook here. > With regards to the suggested workaround It isn't a workaround, it's THE solution. > 1. I've downloaded and unpacked > http://ftp.gnu.org/gnu/emacs/windows/emacs-27/emacs-27.2-x86_64.zip to > a local directory. > 2. Looking for the GnuTLS precompiled version for windows, I landed on > this page: https://www.gnutls.org/download.html > 2.1 There is a latest w64 version on gitlab link at > https://gitlab.com/gnutls/gnutls/builds/artifacts/3.7.2/download?job=MinGW64.DLLs > that redirects to a 404. The correct place to update GnuTLS is from the MSYS2 project, which is where all the optional DLLs in the binary bundle come from. The URL is in nt/INSTALL.W64; start by installing pacman, and then fetch the latest mingw64 libgnutls DLLs. (I myself don't use that, so unfortunately I cannot give you more details, but perhaps someone else here will.) Alternatively, I believe you can tell the Emacs NSM, once, to trust ELPA regardless of the certificate, and then it will work henceforth. (This _is_ a workaround.) In any case, this is not a bug in Emacs. From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 24 16:30:30 2021 Received: (at 51038) by debbugs.gnu.org; 24 Oct 2021 20:30:30 +0000 Received: from localhost ([127.0.0.1]:41067 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mek8O-0003oT-Tu for submit@debbugs.gnu.org; Sun, 24 Oct 2021 16:30:30 -0400 Received: from mail-oo1-f53.google.com ([209.85.161.53]:42611) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mek8M-0003oC-Se for 51038@debbugs.gnu.org; Sun, 24 Oct 2021 16:30:23 -0400 Received: by mail-oo1-f53.google.com with SMTP id a17-20020a4a6851000000b002b59bfbf669so2953725oof.9 for <51038@debbugs.gnu.org>; Sun, 24 Oct 2021 13:30:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UQxgUoMi1DR682WZgL4qIm98OKWEn2jekdMLQp6MyQw=; b=HZLKs13UKyxyu3gwaCRCQ8HluxR4e1i/oyhujI69NVkj128M4OYAlSmM1Y7lbsk0WI aFY//3SCPgN+fEqhZLc5H1vqhue+TvQ/RIh//d1RDB3dTNiTopXhZTWbMtHCJsOUhGHB /M8DT1JdM5R3+9DtJRr+7XSkVRceLlACKRODEiqnq8e6EAJ9ce40eNyxXYiAore/n2bO zHKPahxLWCHoEkWWgkACysL1VCtDpwL6dUUg3bIVkA4l4alb7oNTT/4EEFfPLBmAL+QA qx7L0hcthnWGyV6YUizwpHwbWX6e+6XlyWblwHJ57AEfzJBqUtujvpCqA5eAnFzYfZkc 2qnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UQxgUoMi1DR682WZgL4qIm98OKWEn2jekdMLQp6MyQw=; b=QOn3azgPV1wvHVObjO4f9sP8eEskMRtT3vyN2jms9PEN5bXZhCR9UImvyEtT2fSL/X HibmIdvPcw3X/W2EyknzjM9eTFUyLWfTpC0Yh9w4+4XDydr2Tr4yoXePWAar8cYg00VW JJBzn16Eixvd+bW3MPXYulD9qhdKhydIYMcgYFmoFMDniAvg7t9ASSk5AbLXoVvn+mKt 46W2ZAqSPgHxnRjGmysVCvVuVWSdovOU6aYln1ZGIesPh19xNIhZ5r3EAB+ypx7tUsi2 rMX4/wwXL+Yt8JzDdDrpzNAqEusItpPTD+dZA74M01zoUwskYFVluE7lDeDYA+HB7fTa kJdA== X-Gm-Message-State: AOAM532ygUJANvS4h7cIufPsI7BhrgI9tabP7N844hqBqnVD5w4TpNMI O/bC9JNiAkljMbXsHMbs8h6vbYmyepmu9v1ub9s= X-Google-Smtp-Source: ABdhPJxngs3JmvGBQzfcchOhuhY1Pn7eN7WxlESEGiC9HTeDuyNFneFNIkVEaOvFHhh7PMCtTguArQvjOESF1rW7Xzw= X-Received: by 2002:a4a:1147:: with SMTP id 68mr9125244ooc.5.1635107417212; Sun, 24 Oct 2021 13:30:17 -0700 (PDT) MIME-Version: 1.0 References: <83mtmy2vri.fsf@gnu.org> <83h7d62r5u.fsf@gnu.org> In-Reply-To: <83h7d62r5u.fsf@gnu.org> From: Ioannis Kappas Date: Sun, 24 Oct 2021 21:30:09 +0100 Message-ID: Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: john@rootabega.net, 51038@debbugs.gnu.org, Lars Ingebrigtsen , emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Sun, Oct 24, 2021 at 7:50 PM Eli Zaretskii wrote: > > From: Ioannis Kappas > > Date: Sun, 24 Oct 2021 19:21:00 +0100 > > Cc: john@rootabega.net, 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, > > Lars Ingebrigtsen > > > > (apologies for being pedantic here, just want tom make sure that any > > difference in opinion become clear) > > I wasn't aware that we are having differences of opinions here. Great, I think we came to an understanding 1. Issue is not with Emacs. 2. Issue with the latest official precompiled binaries of Gnu Emacs for MS-Windows, caused by the bundled GnuTLS library version. > > before going into the details of a workaround, my argument is that > > this is an issue with the precompiled binaries of the latest official > > Gnu Emacs release at the official ftp site. If a user or process > > installs today these binaries on their system, Emacs will not work to > > its full potential. Furthermore, the user will not be aware why the > > connection to the elpa archive fails nor of a potential work around. I > > consider this to be a major issue with the precompiled binaries > > prepared by the Gnu Emacs projects, that they don't work out of the > > box and likely to leave the user/system in a perplexed/volnurable > > state. > > That is true, but users who download precompiled binaries are at the > mercy of whoever prepared the package from the get-go, so this danger > is not new, it is inherent to this way of installing Emacs. People > who want to be completely in control should compile Emacs by > themselves. We have instructions for that in nt/INSTALL.W64. May I disagree with this that there is nothing to suggest that in the the official download page @ https://www.gnu.org/software/emacs/download.html, under Nonfree systems/Windows: """ Windows GNU Emacs for Windows can be downloaded from a nearby GNU mirror; or the main GNU FTP server. Unzip the zip file preserving the directory structure, and run bin\runemacs.exe. Alternatively, create a desktop shortcut to bin\runemacs.exe, and start Emacs by double-clicking on that shortcut's icon. The Windows binaries are signed by Phillip Lord 8E64 B119 FE4B AC58 C767 D5EC E095 C1A6 3FB1 EAD2. """ If this is the official position, IMHO it should be clearly stated somewhere obvious (unless I missed it). Otherwise people old or new to emacs think these precompiled binaries are officially supported by the project maintainers and should work out of the box. > > May I point out that libgnu-2.6.12 ships in emacs-27.2-x86_64.zip > > under bin/libgnutls-30.dll, and thus the responsibility to the > > maintainer of the package to fix any shortfalls IMHO? > > We don't have a maintainer at this time. This was (and is) a > volunteer project, and the volunteer who produced that bundle stepped > down. If you'd like to replace him, I'm sure this will be very > welcome. Or maybe someone else will soon. I could possibly assist if needs be. I assume this is based on trusting the person creating the package rather than having an automated build process in place. > > Currently the > > official instructions to install the latest Gnu Emacs release from the > > precompiled binaries from the official ftp site, install a version of > > Emacs which is impaired, and wont work to its full potential out of > > the box for any user. We need to either fix this so it works out of > > the box, provide official instructions how to work around it, or > > provide an official note that this is broken. Letting users being > > unaware and thus vulnerable to the current behaviour IMHO is > > suboptimal. > > There's a problem with the "we" part here. There's also a problem > with providing instructions, because the fine details depend on what > is already installed on the end-user's system. It's hard to provide a > cookbook here. My experience with the precompiled binaries zip file is well self contained and does not depend on anything outside of it, other than the windows kernel. > > With regards to the suggested workaround > > It isn't a workaround, it's THE solution. OK, there is a slight difference of opinion here. The solution for me is to update the precompiled binaries with a recent GnuTLS version on the official download site. Having the user to install MSYS2 and locate the dll (or download the latest version from the GnuTLS CI) as to overwrite the a single dll in the official precompiled binary, sounds like a work around to me. > > 1. I've downloaded and unpacked > > http://ftp.gnu.org/gnu/emacs/windows/emacs-27/emacs-27.2-x86_64.zip to > > a local directory. > > 2. Looking for the GnuTLS precompiled version for windows, I landed on > > this page: https://www.gnutls.org/download.html > > 2.1 There is a latest w64 version on gitlab link at > > https://gitlab.com/gnutls/gnutls/builds/artifacts/3.7.2/download?job=MinGW64.DLLs > > that redirects to a 404. > > The correct place to update GnuTLS is from the MSYS2 project, which is > where all the optional DLLs in the binary bundle come from. The URL > is in nt/INSTALL.W64; start by installing pacman, and then fetch the > latest mingw64 libgnutls DLLs. (I myself don't use that, so > unfortunately I cannot give you more details, but perhaps someone else > here will.) Yeah, I've tested this to work too. I was trying to follow up what I thought was your suggestion earlier and whence the instructions above. > Alternatively, I believe you can tell the Emacs NSM, once, to trust > ELPA regardless of the certificate, and then it will work henceforth. > (This _is_ a workaround.) You do get a prompt when `packages' try to connect in the GUI, but in the batch mode (as in the Eldev case, where the error happens on a cloud server somewher in GitHub without the user input) you don't, though it should be possible to disable programmatically as a possible work around indeed. > In any case, this is not a bug in Emacs. Agreed, it is an issue with the latest official precompiled MS-Windows binaries. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 25 07:48:23 2021 Received: (at 51038) by debbugs.gnu.org; 25 Oct 2021 11:48:23 +0000 Received: from localhost ([127.0.0.1]:41769 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meySl-0005a2-Cs for submit@debbugs.gnu.org; Mon, 25 Oct 2021 07:48:23 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45358) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meySj-0005Zq-IZ for 51038@debbugs.gnu.org; Mon, 25 Oct 2021 07:48:22 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:38214) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1meySd-00049D-7p; Mon, 25 Oct 2021 07:48:15 -0400 Received: from [87.69.77.57] (port=2592 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1meySc-0000ZX-IH; Mon, 25 Oct 2021 07:48:15 -0400 Date: Mon, 25 Oct 2021 14:48:07 +0300 Message-Id: <83a6ix2umg.fsf@gnu.org> From: Eli Zaretskii To: Ioannis Kappas In-Reply-To: (message from Ioannis Kappas on Sun, 24 Oct 2021 21:30:09 +0100) Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows References: <83mtmy2vri.fsf@gnu.org> <83h7d62r5u.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 51038 Cc: john@rootabega.net, 51038@debbugs.gnu.org, larsi@gnus.org, emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Ioannis Kappas > Date: Sun, 24 Oct 2021 21:30:09 +0100 > Cc: john@rootabega.net, 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, > Lars Ingebrigtsen > > > That is true, but users who download precompiled binaries are at the > > mercy of whoever prepared the package from the get-go, so this danger > > is not new, it is inherent to this way of installing Emacs. People > > who want to be completely in control should compile Emacs by > > themselves. We have instructions for that in nt/INSTALL.W64. > > May I disagree with this that there is nothing to suggest that in the > the official download page @ > https://www.gnu.org/software/emacs/download.html, under Nonfree > systems/Windows: > > """ > Windows > > GNU Emacs for Windows can be downloaded from a nearby GNU mirror; or > the main GNU FTP server. > Unzip the zip file preserving the directory structure, and run > bin\runemacs.exe. Alternatively, create a desktop shortcut to > bin\runemacs.exe, and start Emacs by double-clicking on that > shortcut's icon. > > The Windows binaries are signed by Phillip Lord 8E64 B119 FE4B AC58 > C767 D5EC E095 C1A6 3FB1 EAD2. > """ > > If this is the official position, IMHO it should be clearly stated > somewhere obvious (unless I missed it). Otherwise people old or new to > emacs think these precompiled binaries are officially supported by the > project maintainers and should work out of the box. You are reading too much into that text. It doesn't say anywhere that these binaries are "official', nor even that they are endorsed or blessed by the project. I don't think it's reasonable to expect us to have a disclaimer near any binary distribution of Emacs saying it isn't "official". There are more sites out there which distribute precompiled binaries of Emacs. > > There's a problem with the "we" part here. There's also a problem > > with providing instructions, because the fine details depend on what > > is already installed on the end-user's system. It's hard to provide a > > cookbook here. > > My experience with the precompiled binaries zip file is well self > contained and does not depend on anything outside of it, other than > the windows kernel. I wasn't talking about dependencies, I was talking about additional Emacs-related software that could be installed on the user's machine, and could affect the detailed instructions. For example, some of those additional programs could require the old GnuTLS, so we cannot easily say "replace with the new one". > OK, there is a slight difference of opinion here. The solution for me > is to update the precompiled binaries with a recent GnuTLS version on > the official download site. The only official download for Emacs is the source distribution. That is the only distribution that's under the direct responsibility of the project. > > Alternatively, I believe you can tell the Emacs NSM, once, to trust > > ELPA regardless of the certificate, and then it will work henceforth. > > (This _is_ a workaround.) > > You do get a prompt when `packages' try to connect in the GUI, but in > the batch mode (as in the Eldev case, where the error happens on a > cloud server somewher in GitHub without the user input) you don't, > though it should be possible to disable programmatically as a possible > work around indeed. If you answer "allow" for that single prompt, telling the NSM to always trust ELPA, you won't need to answer any more questions, and I believe the batch operation will also work. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 25 13:19:22 2021 Received: (at 51038) by debbugs.gnu.org; 25 Oct 2021 17:19:22 +0000 Received: from localhost ([127.0.0.1]:44184 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mf3cy-00036O-7H for submit@debbugs.gnu.org; Mon, 25 Oct 2021 13:19:20 -0400 Received: from mail-oi1-f169.google.com ([209.85.167.169]:41493) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mf3cw-00036C-28 for 51038@debbugs.gnu.org; Mon, 25 Oct 2021 13:19:14 -0400 Received: by mail-oi1-f169.google.com with SMTP id bk18so16499661oib.8 for <51038@debbugs.gnu.org>; Mon, 25 Oct 2021 10:19:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Gex8nr7BCyg1/6BxBPML+ISXvMk97Fjl13oj0EM2mnM=; b=FxvJDiVcl5a9esZ+zCKCwtBvGW2G19F7SzhBojCtUCk2fwE9vsKhR8x+XpTc9QGJHZ syqB9ZTWFiw0a/K6/NQG05Xkqg9jPlDu7DtCirSddMUnkIP3aDODrF1PYjutj4ztXJMX uivE8HSUb5WnRjPtFvPt1S8kay2o3xLXuRQmB8tMrsY2IWvQ/rX/7MdHkn9y2rFEt6iP lbxz4nDPR/CpDYn4upPV/vQPtswlFXiuVucl2vTTTPM78HVXTfRJ1xmHK1RQFBbsUIRP WKbNvp1YjWCnt1hnYHRZOUwa90kvU6aFBTedUbDULGTZdzgKKZzo9JulDEe8X5yMtMGe xtAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Gex8nr7BCyg1/6BxBPML+ISXvMk97Fjl13oj0EM2mnM=; b=nomt+AcpQDBDXvcOKsHBNbz7+kNQqvszTZRBROodiRgVAZFpVSWP2Vg9vcr3lEugeG fHGtNoWFJe/ysHV/lnkiklxvmJ9O8Y+Z5bk8w7ai2yyXndJSyR9TL0SJv1L7TReMhpA1 F3O1EkrNvhyaBKKV0ZBkv2QkxBUDTzul8iCZydWDJ1qeC5t+bEDBp+VzhccU7O0w6em0 2gH6cJIXgS2fwLCs0B3mqQTz/HjB1BzC5RcXqRnUcTrU5OzrqCTF0+JRGeGXNFmfgi0e HdvSfuC3MYV5R2YDW/uOui2ys1nQFCPACT9lrGBO03aqY09dcknvk3jaxCkRIsiwqtL4 LZMA== X-Gm-Message-State: AOAM532ahYDQfysUD5c5gjdPp9CqI8Txh0geEcIOVcsA+ja9OoDT59hI zJ6hcYXzv1tXDY8GDerckibR1pzebXuN6in/aeU= X-Google-Smtp-Source: ABdhPJyvM8jStbkYMANHJwwrXQZgR175aJ9J4R15qQfTHKiIVXp6cIUaIaY20duwvX4RgCOocDUbJreSuz+47R+66+M= X-Received: by 2002:a05:6808:1597:: with SMTP id t23mr13820848oiw.78.1635182348407; Mon, 25 Oct 2021 10:19:08 -0700 (PDT) MIME-Version: 1.0 References: <83mtmy2vri.fsf@gnu.org> <83h7d62r5u.fsf@gnu.org> <83a6ix2umg.fsf@gnu.org> In-Reply-To: <83a6ix2umg.fsf@gnu.org> From: Ioannis Kappas Date: Mon, 25 Oct 2021 18:18:57 +0100 Message-ID: Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: john@rootabega.net, 51038@debbugs.gnu.org, Lars Ingebrigtsen , emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Mon, Oct 25, 2021 at 12:48 PM Eli Zaretskii wrote: > > > From: Ioannis Kappas > > Date: Sun, 24 Oct 2021 21:30:09 +0100 > > Cc: john@rootabega.net, 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, > > Lars Ingebrigtsen > > > > If this is the official position, IMHO it should be clearly stated > > somewhere obvious (unless I missed it). Otherwise people old or new to > > emacs think these precompiled binaries are officially supported by the > > project maintainers and should work out of the box. > > You are reading too much into that text. It doesn't say anywhere that > these binaries are "official', nor even that they are endorsed or > blessed by the project. I don't think it's reasonable to expect us to > have a disclaimer near any binary distribution of Emacs saying it > isn't "official". There are more sites out there which distribute > precompiled binaries of Emacs. I believe the perception for the majority of users new or old to Emacs is that these are the official binaries. As of a random example, the Emacs Wiki @ https://www.emacswiki.org/emacs/MsWindowsInstallation reads (the *** are mine): """ Guidelines for installing Emacs on MS Windows To install the ***official*** stable binaries: Visit https://ftp.gnu.org/gnu/emacs/windows/emacs-27/ (or https://ftpmirror.gnu.org/emacs/windows/emacs-27/ to use a nearby mirror). Download the last zip-file ending in x86_64.zip for 64 bit or i686.zip for 32 bit listed (currently emacs-27.1-x86_64.zip and emacs-27.1-i686.zip, respectively). You might also want to read the README file at the same site (not the one inside the zip-file). Once the zip-file is downloaded, open it using Explorer (slow) or 7zip (faster) and extract all the files into a directory of your choice (e.g. c:\packages\emacs-27.1)."" Now, you may argue, anyone can right anything on these websites, but I am just trying to give out the sentiment what the people think about these precompiled binaries. I would personally not have thought these were not official until we had this discussion. I think this misconception should be addressed somehow, otherwise users might be left perplexed or unable to use Emacs on Windows to its full potential. That's my personal opinion btw, you don't have to agree with it. You are the maintainers after all and your decisions are most respected. > > > There's a problem with the "we" part here. There's also a problem > > > with providing instructions, because the fine details depend on what > > > is already installed on the end-user's system. It's hard to provide a > > > cookbook here. > > > > My experience with the precompiled binaries zip file is well self > > contained and does not depend on anything outside of it, other than > > the windows kernel. > > I wasn't talking about dependencies, I was talking about additional > Emacs-related software that could be installed on the user's machine, > and could affect the detailed instructions. For example, some of > those additional programs could require the old GnuTLS, so we cannot > easily say "replace with the new one". > > OK, there is a slight difference of opinion here. The solution for me > > is to update the precompiled binaries with a recent GnuTLS version on > > the official download site. > > The only official download for Emacs is the source distribution. That > is the only distribution that's under the direct responsibility of the > project. IMHO we have to make this clear somehow. The believe in my opinion is that people are seeing these binaries as official. > > > Alternatively, I believe you can tell the Emacs NSM, once, to trust > > > ELPA regardless of the certificate, and then it will work henceforth. > > > (This _is_ a workaround.) > > > > You do get a prompt when `packages' try to connect in the GUI, but in > > the batch mode (as in the Eldev case, where the error happens on a > > cloud server somewher in GitHub without the user input) you don't, > > though it should be possible to disable programmatically as a possible > > work around indeed. > > If you answer "allow" for that single prompt, telling the NSM to > always trust ELPA, you won't need to answer any more questions, and I > believe the batch operation will also work. In our case, the failing Emacs process is run on a Windows 2019 server noninteractively somewhere on the GitHub cloud, with no user intervention so there is no prompt to see the prompt. I figured out though a hack based on this, It should be possible to include in the testing script. Thanks for mentioning it. From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 28 15:34:32 2021 Received: (at 51038) by debbugs.gnu.org; 28 Oct 2021 19:34:32 +0000 Received: from localhost ([127.0.0.1]:53270 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgBAR-00023e-Th for submit@debbugs.gnu.org; Thu, 28 Oct 2021 15:34:32 -0400 Received: from mail-oi1-f182.google.com ([209.85.167.182]:37486) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgBAM-00023O-Db for 51038@debbugs.gnu.org; Thu, 28 Oct 2021 15:34:26 -0400 Received: by mail-oi1-f182.google.com with SMTP id o83so9829561oif.4 for <51038@debbugs.gnu.org>; Thu, 28 Oct 2021 12:34:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GQNClxWAOu3Xbz6sOVf+p1FSuibajfAsoTfq9uopMzY=; b=S0zpiFPIg8jaTbVA+vkyAj+pzMsk3e9gaZk+oLkUAr+vGVpj3jOxkcSqylCzVjJ6Vo N2lAUpXzzITOUdFl5flgIfJEGd3sBfRfxBMySCTNODuYQVxCyTzLkQ7SU7rUHCO6lg2f 2oHcgtOlt9rlOZ3/H549AGLKU5332mNz1PTUd4IZGNCImDdk9XP7ub80xxPWJ4Jcxtsh dHGIR/H1bA0vO2kDzOjeMva+dgDJom20AMulUR64K6UsUUeOE9DjJ8rQrgfzNj+tfW8l +WQ4O+gGQtelRCQ1s/UbzcHqYyccT+vCy68O1oYSQwAmmjT6DosrZVuZmL15u1WtE9d8 yf+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GQNClxWAOu3Xbz6sOVf+p1FSuibajfAsoTfq9uopMzY=; b=HQiSFUFieBSm5B3nxjJd7XIPYm8fYRrsb5VK1g29IrroxaJnhgmIZ517seWGLwEKn1 5LkFC8yhWSDlo/V31Phhpl6qeYJDAibTwfqrDdx3ubCv/Tl5iR3QfFcNBlumggqG4m9k eRgA9Q0nOh4wg6hWsm6qzU2z+78kaLBD2Sk4UzzReut/mIGUtVSvhmgslpNhLmPREEsP aBvUsmYRtW2yEbimeR3mwJ/sqNrGuQushgzPTJo3bAD26eLJg8Q1vIz9Ut2yVxzSQGSD 6+9v6h5/jl3h2k/qAmBA9g7iX9ItsMf7lUzCWqL6cKFry33sruh6SqtcP2u3exPCLHwO SPVA== X-Gm-Message-State: AOAM533jwErgiUWBq1hQwSZ76Hhl2W9FZlIWZRXVU6VeE4V//22VEpz1 rXq04eflWntLD4qTP+3/oao6ARDTsIGmvQ076dM= X-Google-Smtp-Source: ABdhPJwOQ8p+AS6PuWqCmq8sQC8acHEls+p1v//N1RADEqW17siNUDoW8HeTmtClrh1BK3QSfJHjTk7KuaC08d15Dhw= X-Received: by 2002:a05:6808:120e:: with SMTP id a14mr9769120oil.122.1635449656724; Thu, 28 Oct 2021 12:34:16 -0700 (PDT) MIME-Version: 1.0 References: <83mtmy2vri.fsf@gnu.org> <83h7d62r5u.fsf@gnu.org> <83a6ix2umg.fsf@gnu.org> In-Reply-To: From: Ioannis Kappas Date: Thu, 28 Oct 2021 20:34:05 +0100 Message-ID: Subject: Re: bug#51038: 27.2; ELPA certificate not trusted on Windows To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 51038 Cc: john@rootabega.net, 51038@debbugs.gnu.org, Lars Ingebrigtsen , emacs-hoffman@snkmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Mon, Oct 25, 2021 at 6:18 PM Ioannis Kappas wrote: > > On Mon, Oct 25, 2021 at 12:48 PM Eli Zaretskii wrote: > > > > > From: Ioannis Kappas > > > Date: Sun, 24 Oct 2021 21:30:09 +0100 > > > Cc: john@rootabega.net, 51038@debbugs.gnu.org, emacs-hoffman@snkmail.com, > > > Lars Ingebrigtsen > > > > > > > If this is the official position, IMHO it should be clearly stated > > > somewhere obvious (unless I missed it). Otherwise people old or new to > > > emacs think these precompiled binaries are officially supported by the > > > project maintainers and should work out of the box. > > > > You are reading too much into that text. It doesn't say anywhere that > > these binaries are "official', nor even that they are endorsed or > > blessed by the project. I don't think it's reasonable to expect us to > > have a disclaimer near any binary distribution of Emacs saying it > > isn't "official". There are more sites out there which distribute > > precompiled binaries of Emacs. > > I believe the perception for the majority of users new or old to Emacs > is that these are the official binaries. As of a random example, the > Emacs Wiki @ https://www.emacswiki.org/emacs/MsWindowsInstallation > reads (the *** are mine): > > """ Guidelines for installing Emacs on MS Windows > > To install the ***official*** stable binaries: Hi again, here is some more evidence that these prebuild binaries are widely considered to be official GNU packages. They are picked up by the two major MS-Windows package managers I am aware of, and thus almost everyone is affected when something goes wrong: Chocolatey: https://community.chocolatey.org/packages/Emacs Scoop: https://github.com/ScoopInstaller/Extras/blob/master/bucket/emacs.json (and what Eldev used as an installer in the GitHub action: https://github.com/purcell/setup-emacs) I would like to stress again that IMO it should be made clear somewhere prominent that these precompiled binaries published on the GNU ftp site are unofficial, unmaintained, unsupported binary packages (as I believe is Eli's position) and people or processes should not rely on them, but rather build their own packages from source (which is a non-trivial task for many people and requires access to MSYS2). I don't believe the package managers are wrong here for picking up the binaries from the official GNU site. It is the inherited belief that these are official supported binaries that is the issue IMHO. Sorry for bringing this up again, but I do believe this is a major issue which requires addressing affecting many people and processes out there. Thanks From unknown Sat Jun 21 10:41:00 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 26 Nov 2021 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator