From: ng0 <ng0@we.make.ritual.n0.is>
To: Alex Kost <alezost@gmail.com>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: emacs: Use https for elpa.gnu.org
Date: Thu, 08 Sep 2016 23:27:56 +0000 [thread overview]
Message-ID: <87a8fiq8eb.fsf@we.make.ritual.n0.is> (raw)
In-Reply-To: <871t16phue.fsf@we.make.ritual.n0.is>
Hi,
can someone else comment on this thread? I've listed part of my reasons,
not all, my position should be clear.
ng0 <ng0@we.make.ritual.n0.is> writes:
> ng0 <ng0@we.make.ritual.n0.is> writes:
>
>> Alex Kost <alezost@gmail.com> writes:
>>
>>> ng0 (2016-08-27 17:20 +0300) wrote:
>>>
>>>> From d2dfd0fcc34f5cdcb9d181093cffd5af16be6641 Mon Sep 17 00:00:00 2001
>>>> From: ng0 <ng0@we.make.ritual.n0.is>
>>>> Date: Sat, 27 Aug 2016 13:33:31 +0000
>>>> Subject: [PATCH 1/4] gnu: emacs: Use https for elpa.gnu.org.
>>>>
>>>> * gnu/packages/emacs.scm: Use 'https' for all elpa.gnu.org urls.
>>>> ---
>>>> gnu/packages/emacs.scm | 24 ++++++++++++------------
>>>> 1 file changed, 12 insertions(+), 12 deletions(-)
>>>>
>>>>
>>>> diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
>>>> index 4fe9a8a..d1d8af0 100644
>>>> --- a/gnu/packages/emacs.scm
>>>> +++ b/gnu/packages/emacs.scm
>>>> @@ -652,7 +652,7 @@ programs.")
>>>> (version "1.0.4")
>>>> (source (origin
>>>> (method url-fetch)
>>>> - (uri (string-append "http://elpa.gnu.org/packages/let-alist-"
>>>> + (uri (string-append "https://elpa.gnu.org/packages/let-alist-"
>>>> version ".el"))
>>>
>>> FYI 'let-alist' was added by Ludovic, and I think using "http" was
>>> intentional. I asked once about "https" vs. "http", and I'm not sure
>>> whether these http→https changes are desired:
>>>
>>> http://lists.gnu.org/archive/html/guix-devel/2015-07/msg00378.html
>>
>> I share this position although it is a very short statement for a
>> complex topic. Using tls in combination with for example the extension
>> certificate patrol for firefox based browsers helps to control
>> certificates and catch bad ones.
>>
>> Does hydra pull packages via tor? Is our default tor? No. As long as we
>> have no alternative, like the one I work towards to, we should use the
>> minimal bit of authenticity tls can provide.
>
> Adding to this: in some countries, using tor is dangerous, illegal and
> the opposition can face severe sentences by the government in charge of
> the country. It makes more sense to use tls, even when it is broken,
> than to say 'just use tor'. We add security on top of that through hash
> and checksums, but having a default of tls is safer in my opinion, for
> the moment.
> --
> ng0
> For non-prism friendly talk find me on http://www.psyced.org
>
--
ng0
For non-prism friendly talk find me on http://www.psyced.org
next prev parent reply other threads:[~2016-09-08 23:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-27 14:20 [PATCH] gnu: emacs: Use https for elpa.gnu.org ng0
2016-08-27 20:55 ` Alex Kost
2016-08-27 21:16 ` ng0
2016-08-30 12:22 ` ng0
2016-09-08 23:27 ` ng0 [this message]
2016-09-09 18:04 ` Alex Kost
2016-09-12 13:46 ` Alex Kost
2016-09-13 8:02 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a8fiq8eb.fsf@we.make.ritual.n0.is \
--to=ng0@we.make.ritual.n0.is \
--cc=alezost@gmail.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).