From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 6A3CD6DE0287 for ; Fri, 9 Feb 2018 09:42:19 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.02 X-Spam-Level: X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[AWL=-0.020] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cEqV9ydtqjzA for ; Fri, 9 Feb 2018 09:42:18 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTPS id 97B006DE0282 for ; Fri, 9 Feb 2018 09:42:18 -0800 (PST) Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 483F1F99A; Fri, 9 Feb 2018 12:42:15 -0500 (EST) Received: by fifthhorseman.net (Postfix, from userid 1000) id B10D020225; Fri, 9 Feb 2018 12:42:12 -0500 (EST) From: Daniel Kahn Gillmor To: Adam Plaice Cc: notmuch@notmuchmail.org, Carl Worth Subject: Re: Fetching from the git repositories over https? In-Reply-To: References: <877ert30w3.fsf@fifthhorseman.net> Date: Fri, 09 Feb 2018 12:42:09 -0500 Message-ID: <87o9kyt5zi.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2018 17:42:19 -0000 --=-=-= Content-Type: text/plain On Fri 2018-02-09 06:28:04 +0000, Adam Plaice wrote: > Thanks very much for the reply. I fully agree that the verifying of > git tags by MELPA would be valuable (and rather important from a > security perspective), and will bring it up. Thanks for doing that! If you need any backup in the discussion, or if you think that your suggestion is not being taken as seriously as is warranted, i'd be happy to try to help explain the issues to the MELPA folks -- contact me directly offlist if you want to coordinate on this. > BTW, is the GitHub mirror https://github.com/notmuch/notmuch/ > mentioned in README.rst, semi-official in the sense of being likely to > be up to date? If, yes, it could be used as a stopgap intermediary > "source" for MELPA, until https transport is possible with the main > notmuch repository or MELPA supports verifying signed git tags. I think if you use the github mirror, you might just be pushing off cleartext fetching to someone else, since that mirror appears to be synced over http itself :/ I don't actually know who maintains that mirror, and i don't know how to update where it syncs from... However, Carl Worth (in Cc) just mentioned on IRC that he set up https for the official notmuch repo! So please use this URL: https://git.notmuchmail.org/git/notmuch Thanks Carl! :) All the best, --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzicvlOwymaWlnoHjyu+ogyFnUzMFAlp93XEACgkQyu+ogyFn UzMK0A/+OKBme2MfGhqBlsTScBsf7mykaGLbxRMJsHi8b3V2SnHA/U9PT0dQWEhz WL8xkvci16ioDT4hqk0VRYzYkNYUgP4vI+xk8bj/PIIessyts8kDQt314fPEiJZu PzBqyo8MXz+vDV8qbuvwwiPQMQ+uzZl3X30Ku0IvnDMIIHDwSKhs8h31dNtoFDbz kUS/kBiAF5L5ivizik+Bon3BV7YZDdsWY+8xUbwVWtE+EW91pprtxzrBksfNC79T EBIcriBEz2JnQSXbNjMGK87FwckUGAtKTvuQByxZbyYyl7iIRrWoEYSbcyiQxEua lF2iMcb+9gPzd2ByRmPFy26UPdRIMFGjy/JELXyGr4yWRaZVHKSrHGt/OQeyxq8Y yMveMF5tRmXuUKMOaiQcMUMz8+SbhlbMtRhOd/E5xqQawHfvvPO9bAKqNG5XcEcl dDNfOM1ZYS1vY5dYYgLHzrldQkgRN1nT4c0Y7f2rZ9DqGoJRrm+dDd2/r1469KF3 ObGJeUui7vpQw/4F5FCJR4G/TK9RqeQqtJXSpIAYMsWcmB8jqwop2/R6S0S5HESV ber6XqH2vD+MgzIlyf3nYyNrwgPg0hSclR6+ie2He+22OWhp/tSjy3OnGcQltQMH EU4wgYzrizFsQcu2cfjj133/UAdTqwZ15IihJ31pGJO3o/M3Im8= =q09b -----END PGP SIGNATURE----- --=-=-=--