From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: [PATCH] gnu: emacs: Use https for elpa.gnu.org Date: Tue, 30 Aug 2016 12:22:01 +0000 Message-ID: <871t16phue.fsf@we.make.ritual.n0.is> References: <87fupqqoms.fsf@we.make.ritual.n0.is> <871t1adj91.fsf@gmail.com> <87r399ud3n.fsf@we.make.ritual.n0.is> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45520) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bei3O-0005MQ-7K for guix-devel@gnu.org; Tue, 30 Aug 2016 08:22:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bei3J-0007Fx-4p for guix-devel@gnu.org; Tue, 30 Aug 2016 08:22:09 -0400 Received: from mithlond.libertad.in-berlin.de ([217.197.83.212]:43127 helo=beleriand.n0.is) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bei3I-0007Fh-PK for guix-devel@gnu.org; Tue, 30 Aug 2016 08:22:05 -0400 In-Reply-To: <87r399ud3n.fsf@we.make.ritual.n0.is> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Kost Cc: guix-devel@gnu.org ng0 writes: > Alex Kost writes: > >> ng0 (2016-08-27 17:20 +0300) wrote: >> >>> From d2dfd0fcc34f5cdcb9d181093cffd5af16be6641 Mon Sep 17 00:00:00 2001 >>> From: ng0 >>> Date: Sat, 27 Aug 2016 13:33:31 +0000 >>> Subject: [PATCH 1/4] gnu: emacs: Use https for elpa.gnu.org. >>> >>> * gnu/packages/emacs.scm: Use 'https' for all elpa.gnu.org urls. >>> --- >>> gnu/packages/emacs.scm | 24 ++++++++++++------------ >>> 1 file changed, 12 insertions(+), 12 deletions(-) >>> >>> >>> diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm >>> index 4fe9a8a..d1d8af0 100644 >>> --- a/gnu/packages/emacs.scm >>> +++ b/gnu/packages/emacs.scm >>> @@ -652,7 +652,7 @@ programs.") >>> (version "1.0.4") >>> (source (origin >>> (method url-fetch) >>> - (uri (string-append "http://elpa.gnu.org/packages/let-alist-" >>> + (uri (string-append "https://elpa.gnu.org/packages/let-alist-" >>> version ".el")) >> >> FYI 'let-alist' was added by Ludovic, and I think using "http" was >> intentional. I asked once about "https" vs. "http", and I'm not sure >> whether these http→https changes are desired: >> >> http://lists.gnu.org/archive/html/guix-devel/2015-07/msg00378.html > > I share this position although it is a very short statement for a > complex topic. Using tls in combination with for example the extension > certificate patrol for firefox based browsers helps to control > certificates and catch bad ones. > > Does hydra pull packages via tor? Is our default tor? No. As long as we > have no alternative, like the one I work towards to, we should use the > minimal bit of authenticity tls can provide. Adding to this: in some countries, using tor is dangerous, illegal and the opposition can face severe sentences by the government in charge of the country. It makes more sense to use tls, even when it is broken, than to say 'just use tor'. We add security on top of that through hash and checksums, but having a default of tls is safer in my opinion, for the moment. -- ng0 For non-prism friendly talk find me on http://www.psyced.org