Re: serving ELPA over HTTP/S

[Ted Zlatanov]

On Mon, 04 May 2015 15:16:01 -0400 Stefan Monnier <address@hidden> wrote: 

SM> * warn and possibly abort when ELPA transfers are done over HTTP
SM> * offer to switch the "gnu" ELPA archive to https://elpa.gnu.org
SM> Why?
>> Because HTTP is worse than HTTP/S as a software delivery channel in
>> almost every way.

SM> Better/worse is not sufficient in itself to justify annoying the user.
SM> So the "why" was really saying "why is it a big enough deal"?

Clearly, because I think it's worth annoying the user, since plain HTTP
should be the exception.

SM> Package installation should indeed work even without those
SM> certificate chains.  Either by accepting the "unverified" certificates,
SM> or by falling back to HTTP.

OK, I think we can accommodate that.

>> OK. Perhaps it's best to simply make it a list instead of a string and
>> try each one in sequence.

SM> Why?  Why not just

SM>   (if (we-have-gnutls) <thehttpsurl> <thehttpurl>)

1) so ELPA archives can have multiple URLs. Assuming there's just one is
not ideal in the long term.

2) because I don't think this should be set in the code.  It's a user choice.

On Mon, 04 May 2015 17:20:46 +0000 Ivan Shmakov <address@hidden> wrote: 

TZ> Because HTTP is worse than HTTP/S as a software delivery channel in
TZ> almost every way.

IS>     … Except for the cache-ability, where HTTP is a sure winner.

I don't think that matters too much in our case, but yes, that's one of
the ways HTTP is better.

Ted