From: ng0 <ng0@we.make.ritual.n0.is>
To: Alex Kost <alezost@gmail.com>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: emacs: Use https for elpa.gnu.org
Date: Tue, 30 Aug 2016 12:22:01 +0000 [thread overview]
Message-ID: <871t16phue.fsf@we.make.ritual.n0.is> (raw)
In-Reply-To: <87r399ud3n.fsf@we.make.ritual.n0.is>
ng0 <ng0@we.make.ritual.n0.is> writes:
> Alex Kost <alezost@gmail.com> writes:
>
>> ng0 (2016-08-27 17:20 +0300) wrote:
>>
>>> From d2dfd0fcc34f5cdcb9d181093cffd5af16be6641 Mon Sep 17 00:00:00 2001
>>> From: ng0 <ng0@we.make.ritual.n0.is>
>>> Date: Sat, 27 Aug 2016 13:33:31 +0000
>>> Subject: [PATCH 1/4] gnu: emacs: Use https for elpa.gnu.org.
>>>
>>> * gnu/packages/emacs.scm: Use 'https' for all elpa.gnu.org urls.
>>> ---
>>> gnu/packages/emacs.scm | 24 ++++++++++++------------
>>> 1 file changed, 12 insertions(+), 12 deletions(-)
>>>
>>>
>>> diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
>>> index 4fe9a8a..d1d8af0 100644
>>> --- a/gnu/packages/emacs.scm
>>> +++ b/gnu/packages/emacs.scm
>>> @@ -652,7 +652,7 @@ programs.")
>>> (version "1.0.4")
>>> (source (origin
>>> (method url-fetch)
>>> - (uri (string-append "http://elpa.gnu.org/packages/let-alist-"
>>> + (uri (string-append "https://elpa.gnu.org/packages/let-alist-"
>>> version ".el"))
>>
>> FYI 'let-alist' was added by Ludovic, and I think using "http" was
>> intentional. I asked once about "https" vs. "http", and I'm not sure
>> whether these http→https changes are desired:
>>
>> http://lists.gnu.org/archive/html/guix-devel/2015-07/msg00378.html
>
> I share this position although it is a very short statement for a
> complex topic. Using tls in combination with for example the extension
> certificate patrol for firefox based browsers helps to control
> certificates and catch bad ones.
>
> Does hydra pull packages via tor? Is our default tor? No. As long as we
> have no alternative, like the one I work towards to, we should use the
> minimal bit of authenticity tls can provide.
Adding to this: in some countries, using tor is dangerous, illegal and
the opposition can face severe sentences by the government in charge of
the country. It makes more sense to use tls, even when it is broken,
than to say 'just use tor'. We add security on top of that through hash
and checksums, but having a default of tls is safer in my opinion, for
the moment.
--
ng0
For non-prism friendly talk find me on http://www.psyced.org
next prev parent reply other threads:[~2016-08-30 12:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-27 14:20 [PATCH] gnu: emacs: Use https for elpa.gnu.org ng0
2016-08-27 20:55 ` Alex Kost
2016-08-27 21:16 ` ng0
2016-08-30 12:22 ` ng0 [this message]
2016-09-08 23:27 ` ng0
2016-09-09 18:04 ` Alex Kost
2016-09-12 13:46 ` Alex Kost
2016-09-13 8:02 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871t16phue.fsf@we.make.ritual.n0.is \
--to=ng0@we.make.ritual.n0.is \
--cc=alezost@gmail.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).