* cannot download packages from elpa
@ 2019-10-03 0:44 Daniel Sutton
2019-10-03 1:55 ` Stefan Monnier
2019-10-03 3:13 ` dick.r.chiang
0 siblings, 2 replies; 8+ messages in thread
From: Daniel Sutton @ 2019-10-03 0:44 UTC (permalink / raw)
To: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 1689 bytes --]
The tests for CIDER have been failing because it cannot get queue and
spinner from elpa.
https://elpa.gnu.org/packages/queue.html seems to be up but
https://quitter.im/fsfstatus has no information about the status.
Runnings tests on CircleCI (and locally with cask install) yields:
```
Compute dependencies
cask install
Loading package information... done
Package operations: 11 installs, 0 removals
- Installing [ 1/11] sesman (0.3.2)... downloading
- Installing [ 1/11] sesman (0.3.2)... done
- Installing [ 2/11] seq (2.16)... already present
- Installing [ 3/11] spinner (1.7)... not available
- Installing [ 4/11] queue (0.2)... not available
- Installing [ 5/11] pkg-info (0.4)... downloading
- Installing [ 5/11] pkg-info (0.4)... done
- Installing [ 6/11] parseedn (0.1)... downloading
- Installing [ 6/11] parseedn (0.1)... done
- Installing [ 7/11] clojure-mode (5.9)... downloading
- Installing [ 7/11] clojure-mode (5.9)... done
- Installing [ 8/11] emacs (25)... already present
- Installing [ 9/11] markdown-mode (latest)... downloading
- Installing [ 9/11] markdown-mode (latest)... done
- Installing [10/11] buttercup (latest)... downloading
- Installing [10/11] buttercup (latest)... done
- Installing [11/11] elisp-lint (latest)... downloading
- Installing [11/11] elisp-lint (latest)... done
Some dependencies were not available: spinner, queue
```
I've tried to check the normal avenues for status but they are down. I'm
confused why https://elpa.gnu.org/packages/ seems to be up but the packages
are not able to be downloaded. It looks like the tests have been failing
due to package resolution for at least 11 days.
dan sutton
[-- Attachment #2: Type: text/html, Size: 2085 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cannot download packages from elpa
2019-10-03 0:44 cannot download packages from elpa Daniel Sutton
@ 2019-10-03 1:55 ` Stefan Monnier
2019-10-03 2:17 ` Daniel Sutton
2019-10-03 14:19 ` Dmitry Gutov
2019-10-03 3:13 ` dick.r.chiang
1 sibling, 2 replies; 8+ messages in thread
From: Stefan Monnier @ 2019-10-03 1:55 UTC (permalink / raw)
To: Daniel Sutton; +Cc: emacs-devel
> I've tried to check the normal avenues for status but they are down. I'm
> confused why https://elpa.gnu.org/packages/ seems to be up but the packages
> are not able to be downloaded. It looks like the tests have been failing
> due to package resolution for at least 11 days.
11 days, huh? Sounds like you're bitten by the change of signing keys.
If you use Emacs-26.3 the problem should disappear.
If you use an older Emacs to fetch the packages you need to first update
the keys or disable signature checking.
Stefan
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cannot download packages from elpa
2019-10-03 1:55 ` Stefan Monnier
@ 2019-10-03 2:17 ` Daniel Sutton
2019-10-03 14:19 ` Dmitry Gutov
1 sibling, 0 replies; 8+ messages in thread
From: Daniel Sutton @ 2019-10-03 2:17 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 988 bytes --]
It appears so and I see you have helpfully created a package to help out
with that. I'll research how to get our circle builds updated to use the
new keys.
I found a reddit thread you created that is quite helpful as well if anyone
else is in the same boat as me and CIDER:
https://www.reddit.com/r/emacs/comments/bn6k1y/updating_gnu_elpa_keys/
On Wed, Oct 2, 2019 at 8:55 PM Stefan Monnier <monnier@iro.umontreal.ca>
wrote:
> > I've tried to check the normal avenues for status but they are down. I'm
> > confused why https://elpa.gnu.org/packages/ seems to be up but the
> packages
> > are not able to be downloaded. It looks like the tests have been failing
> > due to package resolution for at least 11 days.
>
> 11 days, huh? Sounds like you're bitten by the change of signing keys.
> If you use Emacs-26.3 the problem should disappear.
> If you use an older Emacs to fetch the packages you need to first update
> the keys or disable signature checking.
>
>
> Stefan
>
>
[-- Attachment #2: Type: text/html, Size: 1532 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cannot download packages from elpa
2019-10-03 1:55 ` Stefan Monnier
2019-10-03 2:17 ` Daniel Sutton
@ 2019-10-03 14:19 ` Dmitry Gutov
1 sibling, 0 replies; 8+ messages in thread
From: Dmitry Gutov @ 2019-10-03 14:19 UTC (permalink / raw)
To: Stefan Monnier, Daniel Sutton; +Cc: emacs-devel
On 03.10.2019 4:55, Stefan Monnier wrote:
> If you use an older Emacs to fetch the packages you need to first update
> the keys or disable signature checking.
I wonder: if we served ELPA over HTTPS only, would the signature
checking really add any tangible security benefit?
To continue that train of thought, if the only key we had to worry in
that respect is the HTTP certificate, the older releases of Emacs would
need no updates over time (aside from changing the repo url to https://
once).
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cannot download packages from elpa
2019-10-03 0:44 cannot download packages from elpa Daniel Sutton
2019-10-03 1:55 ` Stefan Monnier
@ 2019-10-03 3:13 ` dick.r.chiang
2019-10-03 13:16 ` Stefan Monnier
1 sibling, 1 reply; 8+ messages in thread
From: dick.r.chiang @ 2019-10-03 3:13 UTC (permalink / raw)
To: Daniel Sutton; +Cc: emacs-devel
The elpa key expiration has wrought havoc among elisp repos that actually
conduct proper testing, proving yet again that no good deed goes unpunished.
I've submitted a PR here https://github.com/clojure-emacs/cider/pull/2722
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cannot download packages from elpa
2019-10-03 3:13 ` dick.r.chiang
@ 2019-10-03 13:16 ` Stefan Monnier
2019-10-03 13:41 ` dick.r.chiang
0 siblings, 1 reply; 8+ messages in thread
From: Stefan Monnier @ 2019-10-03 13:16 UTC (permalink / raw)
To: dick.r.chiang; +Cc: Daniel Sutton, emacs-devel
> The elpa key expiration has wrought havoc among elisp repos that actually
^
Thank you for not putting "debacle" in there ;-(
Stefan "not proud"
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cannot download packages from elpa
2019-10-03 13:16 ` Stefan Monnier
@ 2019-10-03 13:41 ` dick.r.chiang
2019-10-03 14:06 ` Stefan Monnier
0 siblings, 1 reply; 8+ messages in thread
From: dick.r.chiang @ 2019-10-03 13:41 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
Is key expiration not par for the course? It's not clear what could have been
done differently. The tragedies are emacs's outmoded packaging tools, and
elpa's inscrutability. The mixed blessings of 80s tech in a point-and-click
world, I suppose.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: cannot download packages from elpa
2019-10-03 13:41 ` dick.r.chiang
@ 2019-10-03 14:06 ` Stefan Monnier
0 siblings, 0 replies; 8+ messages in thread
From: Stefan Monnier @ 2019-10-03 14:06 UTC (permalink / raw)
To: dick.r.chiang; +Cc: emacs-devel
> Is key expiration not par for the course? It's not clear what could have been
> done differently.
I hope we'll have an answer to that before the next expiration (in 2024).
For me, it's something like:
- arrange for gnu-elpa-keyring-update to be pre-installed (and if
needed, extra tricks in package.el to encourage the user to update it
when it's out of date). So at least any user using M-x package-refresh
would get a chance at discovering that there's an update pending.
- Create new keys more frequently (e.g. I plan at rolling out a new
signing key in 2 years or so) so by the time a key expires, your Emacs
already came with a newer key if it's recentish (compared to the new
key only appearing in Emacs-26.3, less than a month before the
previous key expired).
> The tragedies are emacs's outmoded packaging tools, and
Being myself outmoded I don't know what is outmoded about package.el.
Unless by "outmoded" you mean "makes efforts to protect privacy", in
which case I do see what you mean, such as the fact that Emacs
doesn't automatically check for updates by contacting some server
every time you launch it.
On this front, I've been thinking that maybe we could try some steps in
the "less outmoded" direction along the lines of:
- keep track of the last time we refreshed the local copy of the
archive-contents metadata.
- if it's older than N months, upon startup, emit a message
encouraging/reminding the user to refresh it.
Along the same lines, when the local copy of the archive-contents
metadata indicates that one of your packages is out of date, we could
emit a message encouraging/reminding the user to upgrade it.
> elpa's inscrutability.
Not sure if you're talking about ELPA the infrastructure/protocol or
about GNU ELPA in particular, but in either case, I'll be more than
happy to try to explain, especially if that can lead to someone helping
me out with GNU ELPA, where I feel much too often quite lonely
(additionally to feeling inadequate because it's really not my area of
expertise).
Stefan
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-10-03 14:19 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-10-03 0:44 cannot download packages from elpa Daniel Sutton
2019-10-03 1:55 ` Stefan Monnier
2019-10-03 2:17 ` Daniel Sutton
2019-10-03 14:19 ` Dmitry Gutov
2019-10-03 3:13 ` dick.r.chiang
2019-10-03 13:16 ` Stefan Monnier
2019-10-03 13:41 ` dick.r.chiang
2019-10-03 14:06 ` Stefan Monnier
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).