From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id D41586DE01DB for ; Sun, 28 Jan 2018 09:26:11 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.12 X-Spam-Level: X-Spam-Status: No, score=-0.12 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y742KEaja-SA for ; Sun, 28 Jan 2018 09:26:11 -0800 (PST) Received: from mail-yw0-f171.google.com (mail-yw0-f171.google.com [209.85.161.171]) by arlo.cworth.org (Postfix) with ESMTPS id 12F086DE00C6 for ; Sun, 28 Jan 2018 09:26:11 -0800 (PST) Received: by mail-yw0-f171.google.com with SMTP id v196so1902733ywc.6 for ; Sun, 28 Jan 2018 09:26:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=lJuv3tLJvg69ygbhTrcXxycwINnH1RLGmh/SiG8SlY0=; b=j9mgxRDwiR4SENigVJC/ePAqQEVSyzO7SFGMaXMiEql3X1xhny0RzBsqRldonk1DjN zaOaX2NlXkWZAw27NV8/e10639VNTVXIloVEaZEVGqbjVDeVM4Wo31WkAQ9FFx5T7GcM dcJmjCFdpUgz5qpnK1qAwFo74oaaA7zymqTVlGDNzlQDUP/4SqJdJdZ99StgPGDtYzg+ gGajz3vyYhb/aLYlO3QYqr3o0F4x6XANCar7Xd/E88UBahYCugnLNGQMwFT6DiJjJDlf bEfoTdGUdS7I2MqvbrM4ZEYE5b605olw3ZXap9xrZfE2Dj/WtMdFZTzK4Z7nfxl0oqYR rY2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=lJuv3tLJvg69ygbhTrcXxycwINnH1RLGmh/SiG8SlY0=; b=LhASoz5ubNCmRTm7bQ5aM1PjekM5ObRgCCv6ThBxN8OEu4ECSf4R2MMBSfI68G9WkP aFAqv/9s3f/lF5nHe9jxauU/zco+y5f73itt+x9X7a3DUr/7+4fNOfE6PaOf/KzEZI8J eS1WdzsmAw/+hhz4JBJDkFu+HU4Kwu2Cjs7Ipu8GutS+za7Zw7jvsEe06G3OGXVtNqSj A4WfY3h3utJIH3/KuaXUMudsN5lcQftVkaGV2IUjdagT/zcsb4hs6dp5EEA+f/KKyCpP moSQVW+JRD9cF9Nr/Zg9kqhKk+dhPO8vnutnRyMnnJPI/6MYhg1YkRfYso1YrocPdslT MZSg== X-Gm-Message-State: AKwxytcD92ijLEKY8CM+LFAxXIe50V8Q3ZX3JN4co7IZNM0WPbZc4ZVq 8dwopfeFbeIBGKmZmnPq2mWrb5nIOAprjcmEpqk= X-Google-Smtp-Source: AH8x22404nFAE246jeduxRAfqxaRSCnok4aAIwStkdnPD/rBpLzDKjuQV6m5SdA3aKVHRUYX5OUOWsQgXD8+w7LetAk= X-Received: by 10.129.70.193 with SMTP id t184mr15171220ywa.246.1517160368788; Sun, 28 Jan 2018 09:26:08 -0800 (PST) MIME-Version: 1.0 Sender: plaiceadam@gmail.com Received: by 10.37.122.131 with HTTP; Sun, 28 Jan 2018 09:26:08 -0800 (PST) From: Adam Plaice Date: Sun, 28 Jan 2018 17:26:08 +0000 X-Google-Sender-Auth: C8X4NUFgrI2BJS6Bq5Mvh2jbBJs Message-ID: Subject: Fetching from the git repositories over https? To: notmuch@notmuchmail.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.24 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Jan 2018 17:26:11 -0000 I apologise if I'm asking in the wrong place. Is it possible to clone/fetch from the notmuch git repositories (particularly https://git.notmuchmail.org/git/notmuch) over https rather than with the `git://' protocol? (None of the likely alternatives seem to work.) If not, would it be inconvenient for this to be enabled, as an option (if not the recommended one)? Having such an option would be valuable for the purposes of MELPA and MELPA stable (the Emacs package archives which provide an alternative, slightly controversial, way of installing the Notmuch Emacs interface). Since the scripts that build the package archives fetch from upstream sources (such as git://git.notmuchmail.org/git/notmuch) automatically (without human oversight or code inspection) and the `git://' protocol does not provide any authentication, there is currently no guarantee that when the MELPA server tries to connect to notmuchmail.org it's not actually being "Man-in-the-middled" by a malicious third party. As a result, it would be possible for such a third party to introduce some changes to the Elisp code, that would compromise the machines of any users who install the modified package. Using https would raise the bar, from anybody who can hijack the connection between MELPA and notmuchmail.org, to those who can compromise the SSL certificate chain. Thank you for your time and thank you for notmuch, Adam