[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: serving ELPA over HTTP/S

From: Stefan Monnier
Subject: Re: serving ELPA over HTTP/S
Date: Tue, 05 May 2015 13:38:40 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

> http://blog.codinghorror.com/should-all-web-traffic-be-encrypted/ or in
> the proposed HTTP 2.0 standard. You may disagree, but I think the burden
> of proof today should be on those who want to *disable* encryption.

I largely agree, but at the same time, we've been running without even
any kind of signature verification until very recently, and even Debian
works without https, so clearly it's not that big of deal.

> If the user doesn't have GnuPG installed (and we've agreed to treat that
> as an acceptable situation, right?),

I could agree to emitting a warning if neither of gnutls nor gnupg
are available.
And I don't see a good reason to let the user turn the warning off
(after all, she can turn it off by installing gnupg).

>>> 1) so ELPA archives can have multiple URLs. Assuming there's just one is
>>> not ideal in the long term.
SM> That's a separate issue, unrelated to http/https.
> And yet it would also be addressed by my proposal, so I think it's worth
> considering.

I'm not opposed, but I think it's much more complex than just using
https by default when it's available.

Having several URL with a failover from one to the other, opens up the
issue of timeouts and other forms of failures, which can be pretty ugly,
so will require more care in the implementation to make it work well
enough (after defining what "well enough" should be in this context).


reply via email to

[Prev in Thread] Current Thread [Next in Thread]