From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 0D2706DE01D0 for ; Sun, 4 Feb 2018 09:04:27 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.01 X-Spam-Level: X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[AWL=-0.010] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d7pzad1Hf2hG for ; Sun, 4 Feb 2018 09:04:25 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 918AB6DE0183 for ; Sun, 4 Feb 2018 09:04:25 -0800 (PST) Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 1F59CF99B; Sun, 4 Feb 2018 12:04:22 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id 0C8DE1FF1D; Sat, 3 Feb 2018 22:10:56 -0500 (EST) From: Daniel Kahn Gillmor To: Adam Plaice , notmuch@notmuchmail.org Subject: Re: Fetching from the git repositories over https? In-Reply-To: References: Date: Sat, 03 Feb 2018 22:10:52 -0500 Message-ID: <877ert30w3.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.24 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Feb 2018 17:04:27 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Adam-- On Sun 2018-01-28 17:26:08 +0000, Adam Plaice wrote: > I apologise if I'm asking in the wrong place. > > Is it possible to clone/fetch from the notmuch git repositories > (particularly https://git.notmuchmail.org/git/notmuch) over https > rather than with the `git://' protocol? (None of the likely > alternatives seem to work.) It's currently not possible to do that, but some maintenance work is underway that might allow us to support it in the future. I agree with you that https:// is probably a better transport than git:// in 2018, regardless of what MELPA thinks :) > Using https would raise the bar, from anybody who can hijack the > connection between MELPA and notmuchmail.org, to those who can compromise > the SSL certificate chain. Whether we use https or not, MELPA should be relying on signed git tags from known release managers of the upstream projects. For notmuch, that would be David Bremner, openpgp key fingerprint 815B63982A79F8E7C72786C4762B57BB784206AD If MELPA is relying only on HTTPS for source integrity, it's vulnerable to any breakage in the HTTPS security model -- from malicious CAs to cryptographic attacks against the TLS layer itself. I agree with you that https:// is preferable to git://, but please encourage MELPA to take the next step and properly verify the retrieved source directly via OpenPGP. Regards, --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzicvlOwymaWlnoHjyu+ogyFnUzMFAlp2ebwACgkQyu+ogyFn UzMQzBAAjgl5cCET/28Gvy56cvO7SsQC2GGs3ieWwdCl4UGXBo3KN/cq3SH9hHUY 1CBw6A+8R338Mj0+tWt9CtmaR7Cd00Gew432E62/JlJmPQtBtXyjPBghYV2KuGNO y/AJyyw2MT8MdfuiMklZKEuBItrXYvxKk0GMV75H5auw1vByA5oyvmpOWfhH6b3L YNs9rzs/RYWzTq2ySfO+GlgupFQz7Nc2NcRXyoMDyUBsHQYfr7zyJ/cCaWwCZNCG 8V4+Rd9yNmxQ/Iq6SQpi0QN9yZNn/c7K5/cAQRS8GijD2h2sSlnZldplMI5XxvqR 2SjppvBDXhF4mMye+LevUmQ4v6eqmrT/ou6Y0Y4V1s0+S8Y+pSHbpI8wZ0XnLhZl s2nvCEr2J34RZY730cWY9Su7dqWn9ayt+wq2hSzNXhBgvarLuFvAONmCjRlCV8W/ BaTHa45kRPfQ02fI4uE8Xvld3nfLqW4OdNoFp63QfLNuQrIt0nRSPR8BKY5uL/TQ BnMzplsd59GcZZ4z7E8+GN66k2ykALLo0PxhYFKyRcgb+okj+NgRQy6KMn0uzOr0 mOV4MCAGiXIn40OGCWtLFf8n597DypYTef0QYcHx2OlEDzvnmWNmIsbf1lMyDBd7 rSU78zMotGjEs3Logu7Xk/IcJkJAH6g9hIWq/O2pWXjWVgySTFc= =pF0X -----END PGP SIGNATURE----- --=-=-=--