From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: [PATCH] gnu: emacs: Use https for elpa.gnu.org Date: Thu, 08 Sep 2016 23:27:56 +0000 Message-ID: <87a8fiq8eb.fsf@we.make.ritual.n0.is> References: <87fupqqoms.fsf@we.make.ritual.n0.is> <871t1adj91.fsf@gmail.com> <87r399ud3n.fsf@we.make.ritual.n0.is> <871t16phue.fsf@we.make.ritual.n0.is> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52638) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bi8jq-00074w-0V for guix-devel@gnu.org; Thu, 08 Sep 2016 19:28:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bi8jk-0002nv-UP for guix-devel@gnu.org; Thu, 08 Sep 2016 19:28:08 -0400 Received: from aibo.runbox.com ([91.220.196.211]:40829) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bi8jk-0002np-NF for guix-devel@gnu.org; Thu, 08 Sep 2016 19:28:04 -0400 In-Reply-To: <871t16phue.fsf@we.make.ritual.n0.is> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Kost Cc: guix-devel@gnu.org Hi, can someone else comment on this thread? I've listed part of my reasons, not all, my position should be clear. ng0 writes: > ng0 writes: > >> Alex Kost writes: >> >>> ng0 (2016-08-27 17:20 +0300) wrote: >>> >>>> From d2dfd0fcc34f5cdcb9d181093cffd5af16be6641 Mon Sep 17 00:00:00 2001 >>>> From: ng0 >>>> Date: Sat, 27 Aug 2016 13:33:31 +0000 >>>> Subject: [PATCH 1/4] gnu: emacs: Use https for elpa.gnu.org. >>>> >>>> * gnu/packages/emacs.scm: Use 'https' for all elpa.gnu.org urls. >>>> --- >>>> gnu/packages/emacs.scm | 24 ++++++++++++------------ >>>> 1 file changed, 12 insertions(+), 12 deletions(-) >>>> >>>> >>>> diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm >>>> index 4fe9a8a..d1d8af0 100644 >>>> --- a/gnu/packages/emacs.scm >>>> +++ b/gnu/packages/emacs.scm >>>> @@ -652,7 +652,7 @@ programs.") >>>> (version "1.0.4") >>>> (source (origin >>>> (method url-fetch) >>>> - (uri (string-append "http://elpa.gnu.org/packages/let-alist-" >>>> + (uri (string-append "https://elpa.gnu.org/packages/let-alist-" >>>> version ".el")) >>> >>> FYI 'let-alist' was added by Ludovic, and I think using "http" was >>> intentional. I asked once about "https" vs. "http", and I'm not sure >>> whether these http→https changes are desired: >>> >>> http://lists.gnu.org/archive/html/guix-devel/2015-07/msg00378.html >> >> I share this position although it is a very short statement for a >> complex topic. Using tls in combination with for example the extension >> certificate patrol for firefox based browsers helps to control >> certificates and catch bad ones. >> >> Does hydra pull packages via tor? Is our default tor? No. As long as we >> have no alternative, like the one I work towards to, we should use the >> minimal bit of authenticity tls can provide. > > Adding to this: in some countries, using tor is dangerous, illegal and > the opposition can face severe sentences by the government in charge of > the country. It makes more sense to use tls, even when it is broken, > than to say 'just use tor'. We add security on top of that through hash > and checksums, but having a default of tls is safer in my opinion, for > the moment. > -- > ng0 > For non-prism friendly talk find me on http://www.psyced.org > -- ng0 For non-prism friendly talk find me on http://www.psyced.org