[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: serving ELPA over HTTP/S

From: Stefan Monnier
Subject: Re: serving ELPA over HTTP/S
Date: Mon, 04 May 2015 11:41:09 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

> I listed several items; do you think none of those are required?

Let's see:

* set the defaults and docs to point to https://elpa.gnu.org

Yes, that's the crux of the matter, and the only part I discussed in my
previous message.

* warn and possibly abort when ELPA transfers are done over HTTP


* offer to switch the "gnu" ELPA archive to https://elpa.gnu.org


* test on all platforms

Tests are good, but in most cases we rely on early users to test.

* maybe add the GNU ELPA SSL certificate chain explicitly to Emacs

IIUC it's not necessary because that should already be installed on
your system.

SM> not very much.  You just need to make sure it still works when the
SM> running Emacs does not support TLS.
> Define "it works."

You can still install packages via package.el.

> We can switch to an external binary for the data transfer, for instance.

Why bother?

> But is that better than asking the user to enable the GnuTLS integration?

I don't think so.

> On what supported platforms is it simply not possible?  I don't know.

I don't think it matters.

> Are those platforms worth exposing our users to the drawbacks of
> installing packages over HTTP?

I don't think those drawbacks are so terrible.
But, yes, by all means, do try and change package-archives to default to
using https when that works.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]