From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Dmitry Gutov <dgutov@yandex.ru>
Newsgroups: gmane.emacs.devel
Subject: Re: cannot download packages from elpa
Date: Thu, 3 Oct 2019 17:19:18 +0300
Message-ID: <f7096eaf-b0ca-fd8a-7487-dba80581cdf5@yandex.ru>
References: <CAMfzp7bJRZhCYR52KA1_H9OASB4hpE5N7YU-2sLg831S8SGnxQ@mail.gmail.com>
 <jwvzhiiwq5b.fsf-monnier+emacs@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="244461"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
Cc: emacs-devel@gnu.org
To: Stefan Monnier <monnier@iro.umontreal.ca>, Daniel Sutton <dan@dpsutton.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Oct 03 16:20:02 2019
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1iG1xa-0011TF-BE
	for ged-emacs-devel@m.gmane.org; Thu, 03 Oct 2019 16:20:02 +0200
Original-Received: from localhost ([::1]:36676 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1iG1xZ-0005jX-7n
	for ged-emacs-devel@m.gmane.org; Thu, 03 Oct 2019 10:20:01 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60778)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <raaahh@gmail.com>) id 1iG1wy-0005j9-TX
 for emacs-devel@gnu.org; Thu, 03 Oct 2019 10:19:25 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <raaahh@gmail.com>) id 1iG1wx-0000Ad-Jn
 for emacs-devel@gnu.org; Thu, 03 Oct 2019 10:19:24 -0400
Original-Received: from mail-lj1-x229.google.com ([2a00:1450:4864:20::229]:45279)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <raaahh@gmail.com>) id 1iG1wx-000098-Cp
 for emacs-devel@gnu.org; Thu, 03 Oct 2019 10:19:23 -0400
Original-Received: by mail-lj1-x229.google.com with SMTP id q64so2929931ljb.12
 for <emacs-devel@gnu.org>; Thu, 03 Oct 2019 07:19:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:subject:to:cc:references:from:message-id:date:user-agent
 :mime-version:in-reply-to:content-language:content-transfer-encoding;
 bh=hykwMgVSY/Gz/S4iYruuf0ozebG2z/Aert00TOmmA+0=;
 b=TVLG1m+dufi2meeiPxqb0l/V8wZPuO1ysqoT4PVkz/cIgdpyF8taU902GV6dsRSJyz
 rjdAoj9YMlo5kBqr2BHijgBP9Bj9CgRXUfIEhJgZHU90zagnuCTeifsrdLxbDtQjgtnz
 2MyL0gqkVpXlPfmiXKmSpWqupBm+S9ZNt2Hfhl7b+bo552SPA1zypIwbrOpfo6yz7FHE
 s7kbSKdapRqCliyyVrUuuGTZjAzhsA5LUgqq4w5szPdP90i96QBZLr1USdUz/XG6H51Q
 CG+qfgNkQ/2yxMPMGZ7nMzFq+M7LXPUWURzFXaJ7h4o2ZqM5ppU1Zqmi06ZsEDPe2BCv
 qzWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:subject:to:cc:references:from:message-id
 :date:user-agent:mime-version:in-reply-to:content-language
 :content-transfer-encoding;
 bh=hykwMgVSY/Gz/S4iYruuf0ozebG2z/Aert00TOmmA+0=;
 b=Cb/wps72FWI7ESGLEpEGP4pMvqeQzqyyaOijwVkwOTjCV0/c6wYircOU5vOOw1PlmK
 nS7/OroB35YhXkekRbIiBQrMQOOIImr7TycXgBfn+90pe09C5F6x177OMJuV4fPspxTT
 Ysya8QGYeegu/g90CD7G9pIviF3sLCRGGD2k6R7UyIRIh/PGheWxEA4wHxGiZ4OQcDlU
 9iYIyijN0zgY51eHhZKsD8Ib9lyvNDCmbj4tVd3wJrlmATexQuKFRSqLpjjO7kyHwDHH
 LOZU/YqBcB+QG2sL9VUoi1GJAv5tvt2p9H+d76qIloOjtUgskA7ypk3jLz3xqDXy/I2T
 V1Yg==
X-Gm-Message-State: APjAAAU06M1fZ2o1a9VlyEeX6c/ak9+CDyQQZM3m8GnTTCXSfvVqUCjL
 tm3wFx4K+UC+C2QYxnr2KJUlkdxrj60=
X-Google-Smtp-Source: APXvYqw8GduAXNiPig2FmmGL9FZejCa1QtU0BN82Cj6ZACfIwtto3pQDH75yDzEMHOZ9feMNvrMfJA==
X-Received: by 2002:a2e:8558:: with SMTP id u24mr6257993ljj.191.1570112361731; 
 Thu, 03 Oct 2019 07:19:21 -0700 (PDT)
Original-Received: from [192.168.0.133] ([109.110.245.170])
 by smtp.googlemail.com with ESMTPSA id l7sm558644lji.46.2019.10.03.07.19.19
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 03 Oct 2019 07:19:20 -0700 (PDT)
In-Reply-To: <jwvzhiiwq5b.fsf-monnier+emacs@gnu.org>
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a00:1450:4864:20::229
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:240509
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/240509>

On 03.10.2019 4:55, Stefan Monnier wrote:
> If you use an older Emacs to fetch the packages you need to first update
> the keys or disable signature checking.

I wonder: if we served ELPA over HTTPS only, would the signature 
checking really add any tangible security benefit?

To continue that train of thought, if the only key we had to worry in 
that respect is the HTTP certificate, the older releases of Emacs would 
need no updates over time (aside from changing the repo url to https:// 
once).