Re: Fetching from the git repositories over https?

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]

Hi Adam--

On Sun 2018-01-28 17:26:08 +0000, Adam Plaice wrote:
> I apologise if I'm asking in the wrong place.
>
> Is it possible to clone/fetch from the notmuch git repositories
> (particularly https://git.notmuchmail.org/git/notmuch) over https
> rather than with the `git://' protocol?  (None of the likely
> alternatives seem to work.)

It's currently not possible to do that, but some maintenance work is
underway that might allow us to support it in the future.

I agree with you that https:// is probably a better transport than
git:// in 2018, regardless of what MELPA thinks :)

> Using https would raise the bar, from anybody who can hijack the
> connection between MELPA and notmuchmail.org, to those who can compromise
> the SSL certificate chain.

Whether we use https or not, MELPA should be relying on signed git tags
from known release managers of the upstream projects.

For notmuch, that would be David Bremner, openpgp key fingerprint
815B63982A79F8E7C72786C4762B57BB784206AD

If MELPA is relying only on HTTPS for source integrity, it's vulnerable
to any breakage in the HTTPS security model -- from malicious CAs to
cryptographic attacks against the TLS layer itself.

I agree with you that https:// is preferable to git://, but please
encourage MELPA to take the next step and properly verify the retrieved
source directly via OpenPGP.

Regards,

        --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]