> It could have a bad effect on security and privacy for emacs users. Would > you apply only TLS 1.3 on elpa.gnu.org? ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to successfully establish a connection to GNU ELPA? Another thing to watch out for is the cipher suites. To reach a good rating several of them need to be disabled and extensive testing is required to ensure that we don't exclude users from fetching packages for no apparent reason. Something else I'm curious about, what exactly blocks us from forcing a HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a widely used Emacs version or are there others? Vasilij