The following is based on my -- possibly limited -- understanding based on reading through the bug reports around this.
On Wed, Jan 20, 2021, at 05:56, Deb-user wrote: > Thank you for your reply. Yes, the workaround works, but I feel that > this is still a bug in the package. I'm also not sure how safe it is to > disable TLS 1.3. Your options at this point are then, in no particular order; * Live without ELPA (easy if you can live with base Emacs; hard if you need ELPA packages); * Find or create a backport of the TLS1.3 handling fix yourself, and use that instead of the Debian-packaged Emacs; * Turn off TLS1.3 and take steps to mitigate the risks (not sure what exactly that would look like in practice) > I believe Emacs version 26.3 fixes this. I don't know how updating > packages works in stable releases, or if it is even possible. I am new > to Debian. In normal circumstances, the "stable" version does not get updates except for critical security fixes. However, there was already one attempt at fixing this particular bug which however doesn't seem to work satisfactorily, which is apparently what caused this bug to be submitted. There definitely won't be a 26.3 in Buster, but perhaps the maintainer would still like to take another stab at providing a backport for 26.1 which actually works, and release that fix to Buster. Perhaps see also the discussion in the linked original bug https://bugs.debian.org/942413 /* era */ -- If this were a real .signature, it would suck less. Well, maybe not.
