A number of people on emacs-devel, and IIRC, RMS too, suggests that we should not be over-protective parents of Emacs users, and on most levels, I agree. While this might seem like a strange philosophical position to take when it comes to security, I don't think it is (or will be) the case for Emacs. An Emacs user can override pretty much everything Emacs does, and there are well-defined options where you can force a cipher suite or bypass NSM completely. This might sound dangerous, but it's necessary in the event of a new TLS attack was discovered, and that Emacs' default is vulnerable, the user can easily override Emacs' and GnuTLS' default outside of both of these project's release cycles. Given how infrequent Emacs releases, I think this is the right approach.
> A number of people on emacs-devel, and IIRC, RMS too, suggests that we should not be over-protective parents of Emacs users, and on most levels, I agree. While this might seem like a strange philosophical position to take when it comes to security, I don't think it is (or will be) the case for Emacs.
I've been a heavy Emacs user since 1997, using it as my primary editor on all platforms. (In the last year or so, I've been mixing Emacs and Visual Studio Code, because of the latter's solid support for particular language servers.)
I am completely horrified at the suggestion that it might be OK for Emacs to have have insecure TLS defaults. This would be an absolute deal-breaker for me (and would almost certainly result in Emacs being banned at work, with no objection from me).
I do not have the time to fix every Emacs install on every server to be secure with the latest TLS standards. I need to be able to trust the developers of the software I use to get this right. I do not want to worry about whether `package-install` has been affected by a MITM attack.
I love Emacs, but if I'm to be honest, if network security is of concern per a company's policy, Emacs, any version of it past and present, should be immediately banned.
I'm struggling to see the philosophical problem with being as secure as possible by default (aka "over protective") and letting the user configure overrides as necessary?
