FTP,HTTP → HTTPS in Emacs doc and code

FTP,HTTP → HTTPS in Emacs doc and code

[Paul Eggert]

Inspired by the impending decommissioning of ftp://ftp.gnu.org due to 
security concerns, I went through the Emacs master branch and changed 
these FTP URLs to https://ftp.gnu.org. While I was at it, I did the 
much-bigger task of changing http: to https: for most gnu.org and 
fsf.org URLs. (I ran out of energy before doing the MS-Windows files, 
and I hope someone else can take up the slack there.)

Although the web pages in question are not secret, plain HTTP is 
vulnerable to malicious routers that tamper with responses from GNU 
servers, and this sort of thing is all too common when people in some 
other countries browse US-based websites. See, for example:

Aceto G, Botta A, Pescapé A, Awan MF, Ahmad T, Qaisar S. Analyzing 
internet censorship in Pakistan. RTSI 2016. 
https://dx.doi.org/10.1109/RTSI.2016.7740626

HTTPS is not a complete solution here, but it can be a significant help. 
The GNU project regularly serves up code to users, so we should take 
some care here.

Re: FTP,HTTP → HTTPS in Emacs doc and code

[Philippe Vaucher]

[-- Attachment #1: Type: text/plain, Size: 579 bytes --]

> Inspired by the impending decommissioning of ftp://ftp.gnu.org due to
> security concerns, I went through the Emacs master branch and changed these
> FTP URLs to https://ftp.gnu.org. While I was at it, I did the much-bigger
> task of changing http: to https: for most gnu.org and fsf.org URLs. (I
> ran out of energy before doing the MS-Windows files, and I hope someone
> else can take up the slack there.)
>

Sorry if I'm being dense here, but isn't this simply a matter of running
`sed -i` recursively and changing all the link at once with the appropriate
regex?

Philippe

[-- Attachment #2: Type: text/html, Size: 1084 bytes --]

Re: FTP,HTTP → HTTPS in Emacs doc and code

[Paul Eggert]

Philippe Vaucher wrote:
> Sorry if I'm being dense here, but isn't this simply a matter of running
> `sed -i` recursively and changing all the link at once with the appropriate
> regex?

I used Emacs instead of sed -i, but yes that's a good way to start. However, 
there are some exceptions (both false positive and false negatives) so the 
result needs to be hand-checked. Among other things, I left the 
http://lists.gnu.org URLs alone for now because I was being cautious: while 
testing all this I found that those URLs are served by an older host that does 
not support TLS 1.1 or 1.2 yet (I have opened a trouble ticket for that...).

Re: FTP,HTTP → HTTPS in Emacs doc and code

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Thanks for making those changes.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: FTP,HTTP → HTTPS in Emacs doc and code

[Paul Eggert]

Richard Stallman wrote:
> Thanks for making those changes.

You're welcome. Also, we should make similar changes in the GNU Coding Standards 
documents and license material, since Emacs distributes some copies of these. 
Today I sent an email to bug-standards@gnu.org containing a proposed patch along 
those lines.

Hmmm, I see that no changes have been made to gnustandards for over a year 
despite several worthwhile typo and other fixes being sent to bug-standards. I 
hope the following change doesn't get lost too.

https://lists.gnu.org/archive/html/bug-standards/2017-09/msg00004.html