On Sun, Jul 23, 2017 at 04:22:06PM +0200, Ricardo Wurmus wrote:
> 
> Ricardo Wurmus <rekado@elephly.net> writes:
> 
> > Leo Famulari <leo@famulari.name> writes:
> >
> >> While working on the bug 'Changing package source URLs from git:// to
> >> https://' [0], I noticed an issue with the sources for guile-emacs.
> >>
> >> We currently fetch this source code over the unauthenticated GIT
> >> protocol. It is also available over HTTPS. However, these two protocols
> >> are returning different Git repos for some reason.
> >
> > The clone times out for me:
> >
> > --8<---------------cut here---------------start------------->8---
> > git clone https://git.hcoop.net/git/bpt/emacs.git guile-emacs-over-https
> > Cloning into 'guile-emacs-over-https'...
> > ^C
> > --8<---------------cut here---------------end--------------->8---
> >
> > But the clone from git:// works fine.
> >
> > Is the repository actually served over HTTPS?
> 
> Don’t mind me.  It eventually worked.  The repositories have different
> histories, and the https-repo looks like it is two commits behind.
> Looks like an older rebase.
> 
> I’d say we should leave it with the current git:// URL.

The thing is, since the git:// protocol is unauthenticated, we could
assume that those extra two commits are added by a MitM :/

Somebody who is interested in guile-emacs should really ask upstream
what is going on.