> A number of people on emacs-devel, and IIRC, RMS too, suggests that we should not be over-protective parents of Emacs users, and on most levels, I agree. While this might seem like a strange philosophical position to take when it comes to security, I don't think it is (or will be) the case for Emacs.
I've been a heavy Emacs user since 1997, using it as my primary editor on all platforms. (In the last year or so, I've been mixing Emacs and Visual Studio Code, because of the latter's solid support for particular language servers.)
I am completely horrified at the suggestion that it might be OK for Emacs to have have insecure TLS defaults. This would be an absolute deal-breaker for me (and would almost certainly result in Emacs being banned at work, with no objection from me).
I do not have the time to fix every Emacs install on every server to be secure with the latest TLS standards. I need to be able to trust the developers of the software I use to get this right. I do not want to worry about whether `package-install` has been affected by a MITM attack.
I love Emacs, but if I'm to be honest, if network security is of concern per a company's policy, Emacs, any version of it past and present, should be immediately banned.
I've been a heavy Emacs user since 1997, using it as my primary editor on all platforms. (In the last year or so, I've been mixing Emacs and Visual Studio Code, because of the latter's solid support for particular language servers.)
I am completely horrified at the suggestion that it might be OK for Emacs to have have insecure TLS defaults. This would be an absolute deal-breaker for me (and would almost certainly result in Emacs being banned at work, with no objection from me).
I do not have the time to fix every Emacs install on every server to be secure with the latest TLS standards. I need to be able to trust the developers of the software I use to get this right. I do not want to worry about whether `package-install` has been affected by a MITM attack.