cannot download packages from elpa

cannot download packages from elpa

[Daniel Sutton]

[-- Attachment #1: Type: text/plain, Size: 1689 bytes --]

The tests for CIDER have been failing because it cannot get queue and
spinner from elpa.

https://elpa.gnu.org/packages/queue.html seems to be up but
https://quitter.im/fsfstatus has no information about the status.

Runnings tests on CircleCI (and locally with cask install) yields:

```
Compute dependencies
cask install
Loading package information... done
Package operations: 11 installs, 0 removals
  - Installing [ 1/11] sesman (0.3.2)... downloading
  - Installing [ 1/11] sesman (0.3.2)... done
  - Installing [ 2/11] seq (2.16)... already present
  - Installing [ 3/11] spinner (1.7)... not available
  - Installing [ 4/11] queue (0.2)... not available
  - Installing [ 5/11] pkg-info (0.4)... downloading
  - Installing [ 5/11] pkg-info (0.4)... done
  - Installing [ 6/11] parseedn (0.1)... downloading
  - Installing [ 6/11] parseedn (0.1)... done
  - Installing [ 7/11] clojure-mode (5.9)... downloading
  - Installing [ 7/11] clojure-mode (5.9)... done
  - Installing [ 8/11] emacs (25)... already present
  - Installing [ 9/11] markdown-mode (latest)... downloading
  - Installing [ 9/11] markdown-mode (latest)... done
  - Installing [10/11] buttercup (latest)... downloading
  - Installing [10/11] buttercup (latest)... done
  - Installing [11/11] elisp-lint (latest)... downloading
  - Installing [11/11] elisp-lint (latest)... done
Some dependencies were not available: spinner, queue
```
I've tried to check the normal avenues for status but they are down. I'm
confused why https://elpa.gnu.org/packages/ seems to be up but the packages
are not able to be downloaded. It looks like the tests have been failing
due to package resolution for at least 11 days.

dan sutton

[-- Attachment #2: Type: text/html, Size: 2085 bytes --]

Re: cannot download packages from elpa

[Stefan Monnier]

> I've tried to check the normal avenues for status but they are down. I'm
> confused why https://elpa.gnu.org/packages/ seems to be up but the packages
> are not able to be downloaded. It looks like the tests have been failing
> due to package resolution for at least 11 days.

11 days, huh?  Sounds like you're bitten by the change of signing keys.
If you use Emacs-26.3 the problem should disappear.
If you use an older Emacs to fetch the packages you need to first update
the keys or disable signature checking.


        Stefan

Re: cannot download packages from elpa

[Daniel Sutton]

[-- Attachment #1: Type: text/plain, Size: 988 bytes --]

It appears so and I see you have helpfully created a package to help out
with that. I'll research how to get our circle builds updated to use the
new keys.

I found a reddit thread you created that is quite helpful as well if anyone
else is in the same boat as me and CIDER:
https://www.reddit.com/r/emacs/comments/bn6k1y/updating_gnu_elpa_keys/

On Wed, Oct 2, 2019 at 8:55 PM Stefan Monnier <monnier@iro.umontreal.ca>
wrote:

> > I've tried to check the normal avenues for status but they are down. I'm
> > confused why https://elpa.gnu.org/packages/ seems to be up but the
> packages
> > are not able to be downloaded. It looks like the tests have been failing
> > due to package resolution for at least 11 days.
>
> 11 days, huh?  Sounds like you're bitten by the change of signing keys.
> If you use Emacs-26.3 the problem should disappear.
> If you use an older Emacs to fetch the packages you need to first update
> the keys or disable signature checking.
>
>
>         Stefan
>
>

[-- Attachment #2: Type: text/html, Size: 1532 bytes --]

Re: cannot download packages from elpa

[dick.r.chiang]

The elpa key expiration has wrought havoc among elisp repos that actually
conduct proper testing, proving yet again that no good deed goes unpunished.

I've submitted a PR here https://github.com/clojure-emacs/cider/pull/2722

Re: cannot download packages from elpa

[Stefan Monnier]

> The elpa key expiration has wrought havoc among elisp repos that actually
                         ^
Thank you for not putting "debacle" in there ;-(


        Stefan "not proud"

Re: cannot download packages from elpa

[dick.r.chiang]

Is key expiration not par for the course?  It's not clear what could have been
done differently.  The tragedies are emacs's outmoded packaging tools, and
elpa's inscrutability.  The mixed blessings of 80s tech in a point-and-click
world, I suppose.

Re: cannot download packages from elpa

[Stefan Monnier]

> Is key expiration not par for the course?  It's not clear what could have been
> done differently.

I hope we'll have an answer to that before the next expiration (in 2024).
For me, it's something like:

- arrange for gnu-elpa-keyring-update to be pre-installed (and if
  needed, extra tricks in package.el to encourage the user to update it
  when it's out of date).  So at least any user using M-x package-refresh
  would get a chance at discovering that there's an update pending.

- Create new keys more frequently (e.g. I plan at rolling out a new
  signing key in 2 years or so) so by the time a key expires, your Emacs
  already came with a newer key if it's recentish (compared to the new
  key only appearing in Emacs-26.3, less than a month before the
  previous key expired).

> The tragedies are emacs's outmoded packaging tools, and

Being myself outmoded I don't know what is outmoded about package.el.

Unless by "outmoded" you mean "makes efforts to protect privacy", in
which case I do see what you mean, such as the fact that Emacs
doesn't automatically check for updates by contacting some server
every time you launch it.

On this front, I've been thinking that maybe we could try some steps in
the "less outmoded" direction along the lines of:
- keep track of the last time we refreshed the local copy of the
  archive-contents metadata.
- if it's older than N months, upon startup, emit a message
  encouraging/reminding the user to refresh it.
Along the same lines, when the local copy of the archive-contents
metadata indicates that one of your packages is out of date, we could
emit a message encouraging/reminding the user to upgrade it.

> elpa's inscrutability.

Not sure if you're talking about ELPA the infrastructure/protocol or
about GNU ELPA in particular, but in either case, I'll be more than
happy to try to explain, especially if that can lead to someone helping
me out with GNU ELPA, where I feel much too often quite lonely
(additionally to feeling inadequate because it's really not my area of
expertise).


        Stefan

Re: cannot download packages from elpa

[Dmitry Gutov]

On 03.10.2019 4:55, Stefan Monnier wrote:
> If you use an older Emacs to fetch the packages you need to first update
> the keys or disable signature checking.

I wonder: if we served ELPA over HTTPS only, would the signature 
checking really add any tangible security benefit?

To continue that train of thought, if the only key we had to worry in 
that respect is the HTTP certificate, the older releases of Emacs would 
need no updates over time (aside from changing the repo url to https:// 
once).