bug#21382: [PATCH] Use HTTPS for package repo URLs

bug#21382: [PATCH] Use HTTPS for package repo URLs

[Francois Marier]

[-- Attachment #1: Type: text/plain, Size: 631 bytes --]

In order to avoid having users pull emacs packages over HTTP (where they can
be intercepted and modified by network attackers), I have changed the
default URLs for the package repositories to use HTTPS.

The first patch is a change to the default config for elpa.gnu.org and the
second patch updates the manual and FAQ to use HTTPS URLs in its examples.

This is my first patch to emacs and while I have read the CONTRIBUTE file,
it's quite possible I've missed something so feel free to let me know if
there's any changes you'd like me to do to the formatting of the patches or
commit messages.

Francois

-- 
http://fmarier.org/

[-- Attachment #2: 0001-Use-HTTPS-when-talking-to-elpa.gnu.org.patch --]
[-- Type: text/x-diff, Size: 2161 bytes --]

From 8b194e2ce9850c40f75d8a79aa6fc952971710b7 Mon Sep 17 00:00:00 2001
From: Francois Marier <francois@fmarier.org>
Date: Sun, 30 Aug 2015 11:31:21 -0700
Subject: [PATCH 1/2] Use HTTPS when talking to elpa.gnu.org

* emacs-lisp/package.el (package-archive-base): Point to
https://elpa.gnu.org.
* notes/elpa: Use "https" instead of "http" in full URL.
---
 admin/notes/elpa           | 2 +-
 etc/NEWS                   | 2 ++
 lisp/emacs-lisp/package.el | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/admin/notes/elpa b/admin/notes/elpa
index 3922604..cbd9861 100644
--- a/admin/notes/elpa
+++ b/admin/notes/elpa
@@ -10,7 +10,7 @@ repository named "elpa", hosted on Savannah.  To check it out:
 
 Changes to this branch propagate to elpa.gnu.org via a "deployment" script run
 daily.  This script (which is kept in elpa/admin/update-archive.sh) generates
-the content visible at http://elpa.gnu.org/packages.
+the content visible at https://elpa.gnu.org/packages.
 
 A new package is released as soon as the "version number" of that package is
 changed.  So you can use `elpa' to work on a package without fear of releasing
diff --git a/etc/NEWS b/etc/NEWS
index 408286a..690126c 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -398,6 +398,8 @@ packages from `package-selected-packages' which are currently missing.
 *** New command `package-autoremove' removes all packages which were
 installed strictly as dependencies but are no longer needed.
 
+*** elpa.gnu.org is now fetched over HTTPS by default.
+
 ** Shell
 
 When you invoke `shell' interactively, the *shell* buffer will now
diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
index 7c4f21f..445af4e 100644
--- a/lisp/emacs-lisp/package.el
+++ b/lisp/emacs-lisp/package.el
@@ -204,7 +204,7 @@ If VERSION is nil, the package is not loaded (it is \"disabled\")."
   :risky t
   :version "24.1")
 
-(defcustom package-archives '(("gnu" . "http://elpa.gnu.org/packages/"))
+(defcustom package-archives '(("gnu" . "https://elpa.gnu.org/packages/"))
   "An alist of archives from which to fetch.
 The default value points to the GNU Emacs package repository.
 
-- 
2.5.1


[-- Attachment #3: 0002-Use-HTTPS-for-package-repo-URLs.patch --]
[-- Type: text/x-diff, Size: 3086 bytes --]

From 0f9123d9d7b7cfc173d8871beb80e88b141d6397 Mon Sep 17 00:00:00 2001
From: Francois Marier <francois@fmarier.org>
Date: Sun, 30 Aug 2015 11:36:39 -0700
Subject: [PATCH 2/2] Use HTTPS for package repo URLs

* doc/lispref/package.texi: Point to https://elpa.gnu.org.
* doc/misc/efaq.texi: Update MELPA to its new domain.
* doc/misc/efaq.texi: Update all mentioned repos to HTTPS.
---
 doc/lispref/package.texi | 6 +++---
 doc/misc/efaq.texi       | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/lispref/package.texi b/doc/lispref/package.texi
index f8eba2a..981c5d6 100644
--- a/doc/lispref/package.texi
+++ b/doc/lispref/package.texi
@@ -271,7 +271,7 @@ variable @code{load-file-name} (@pxref{Loading}).  Here is an example:
   Via the Package Menu, users may download packages from @dfn{package
 archives}.  Such archives are specified by the variable
 @code{package-archives}, whose default value contains a single entry:
-the archive hosted by the GNU project at @url{http://elpa.gnu.org}.  This
+the archive hosted by the GNU project at @url{https://elpa.gnu.org}.  This
 section describes how to set up and maintain a package archive.
 
 @cindex base location, package archive
@@ -284,8 +284,8 @@ form @code{(@var{id} . @var{location})}, where @var{id} is the name of
 the archive (a string) and @var{location} is its @dfn{base location}
 (a string).
 
-If the base location starts with @samp{http:}, it is treated as a HTTP
-URL, and packages are downloaded from this archive via HTTP (as is the
+If the base location starts with @samp{https:}, it is treated as a HTTPS
+URL, and packages are downloaded from this archive via HTTPS (as is the
 case for the default GNU archive).
 
 Otherwise, the base location should be a directory name.  In this
diff --git a/doc/misc/efaq.texi b/doc/misc/efaq.texi
index 3e9109d..9817ce6 100644
--- a/doc/misc/efaq.texi
+++ b/doc/misc/efaq.texi
@@ -3299,7 +3299,7 @@ see @ref{Packages that do not come with Emacs}.
 
 The easiest way to add more features to your Emacs is to use the
 command @kbd{M-x list-packages}.  This contacts the
-@uref{http:///elpa.gnu.org, GNU ELPA} (``Emacs Lisp Package Archive'')
+@uref{https://elpa.gnu.org, GNU ELPA} (``Emacs Lisp Package Archive'')
 server and fetches the list of additional packages that it offers.
 These are GNU packages that are available for use with Emacs, but are
 distributed separately from Emacs itself, for reasons of space, etc.
@@ -3308,8 +3308,8 @@ available, and then Emacs can automatically download and install the
 packages that you select.  @xref{Packages,,, emacs, The GNU Emacs Manual}.
 
 There are other, non-GNU, Emacs Lisp package servers, including:
-@uref{http://melpa.milkbox.net, MELPA}; and
-@uref{http://marmalade-repo.org, Marmalade}.  To use additional
+@uref{https://melpa.org, MELPA}; and
+@uref{https://marmalade-repo.org, Marmalade}.  To use additional
 package servers, customize the @code{package-archives} variable.
 Be aware that installing a package can run arbitrary code, so only add
 sources that you trust.
-- 
2.5.1

bug#21382: [PATCH] Use HTTPS for package repo URLs

[Glenn Morris]

Hi,

Francois Marier wrote:

> In order to avoid having users pull emacs packages over HTTP (where they can
> be intercepted and modified by network attackers),

elpa.gnu.org packages are gpg signed, which should prevent such modification.

> I have changed the default URLs for the package repositories to use HTTPS.

Thanks for the patch, but more is needed than just unconditionally
changing http to https. See discussion in

http://lists.gnu.org/archive/html/emacs-devel/2015-05/msg00110.html

bug#21382: [PATCH] Use HTTPS for package repo URLs

[Ted Zlatanov]

On Mon, 31 Aug 2015 12:02:09 -0400 Glenn Morris <rgm@gnu.org> wrote: 

GM> Francois Marier wrote:

>> In order to avoid having users pull emacs packages over HTTP (where they can
>> be intercepted and modified by network attackers),
...
>> I have changed the default URLs for the package repositories to use HTTPS.

GM> Thanks for the patch, but more is needed than just unconditionally
GM> changing http to https. See discussion in

GM> http://lists.gnu.org/archive/html/emacs-devel/2015-05/msg00110.html

Francois, would you be interested in leading the work on those items?
I'll assist any way I can but I am unable to do it myself.

Ted

bug#21382: [PATCH] Use HTTPS for package repo URLs

[Lars Ingebrigtsen]

Francois Marier <francois@fmarier.org> writes:

> In order to avoid having users pull emacs packages over HTTP (where they can
> be intercepted and modified by network attackers), I have changed the
> default URLs for the package repositories to use HTTPS.

This seems to have been fixed sometimes after this bug report, so I'm
closing it.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no