From: Adam Plaice <plaice.adam+notmuch@gmail.com>
To: notmuch@notmuchmail.org
Subject: Fetching from the git repositories over https?
Date: Sun, 28 Jan 2018 17:26:08 +0000 [thread overview]
Message-ID: <CAJw81dZ4kzHukW1nycs0CJVQn2cpD19daqjRUXNn5vzbhoiBSA@mail.gmail.com> (raw)
I apologise if I'm asking in the wrong place.
Is it possible to clone/fetch from the notmuch git repositories
(particularly https://git.notmuchmail.org/git/notmuch) over https
rather than with the `git://' protocol? (None of the likely
alternatives seem to work.)
If not, would it be inconvenient for this to be enabled, as an
option (if not the recommended one)?
Having such an option would be valuable for the purposes of MELPA and
MELPA stable (the Emacs package archives which provide an alternative,
slightly controversial, way of installing the Notmuch Emacs
interface). Since the scripts that build the package archives fetch
from upstream sources (such as git://git.notmuchmail.org/git/notmuch)
automatically (without human oversight or code inspection) and the
`git://' protocol does not provide any authentication, there is
currently no guarantee that when the MELPA server tries to connect to
notmuchmail.org it's not actually being "Man-in-the-middled" by a
malicious third party. As a result, it would be possible for such a
third party to introduce some changes to the Elisp code, that would
compromise the machines of any users who install the modified package.
Using https would raise the bar, from anybody who can hijack the
connection between MELPA and notmuchmail.org, to those who can compromise
the SSL certificate chain.
Thank you for your time and thank you for notmuch,
Adam
next reply other threads:[~2018-01-28 17:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-28 17:26 Adam Plaice [this message]
2018-02-04 3:10 ` Fetching from the git repositories over https? Daniel Kahn Gillmor
2018-02-09 6:28 ` Adam Plaice
2018-02-09 17:42 ` Daniel Kahn Gillmor
2018-02-10 4:34 ` Adam Plaice
2018-02-10 3:11 ` Carl Worth
2018-02-10 4:37 ` Adam Plaice
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJw81dZ4kzHukW1nycs0CJVQn2cpD19daqjRUXNn5vzbhoiBSA@mail.gmail.com \
--to=plaice.adam+notmuch@gmail.com \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).