[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[O] How can I obtain Org via HTTPS?

From: Radon Rosborough
Subject: [O] How can I obtain Org via HTTPS?
Date: Sun, 3 Dec 2017 22:46:49 -0800

Hello all,

It does not appear to be possible to obtain the Git repository for Org
via HTTPS or SSH, only via HTTP. I have checked the manual and
searched the Internet to see if there is a way, but no luck. I only
found an unanswered inquiry from earlier this year [1].

—Why is HTTPS/SSH necessary when Org releases are signed with GPG?
Well, only releases are signed. If you want to clone the development
version of Org, there appears to be no way to verify that it has not
been tampered with, since the clone was using an insecure protocol.

—Why do I care about this?
I maintain the package manager straight.el [2], which installs
packages by cloning their Git repositories. By default, the
development version of a package is installed. It would be
irresponsible to install packages via HTTP, so straight.el is forced
to install Org from the EmacsMirror [3] instead. This makes me
uncomfortable, since I would prefer to install packages from their
authoritative upstream sources—this makes contributing back to those
packages easier.

Have I missed something? Is it already possible to obtain Org
securely? If not, is making that possible a current goal of the
project? If not, what is the difficulty and can I help?

Best regards,
Radon Rosborough

[1]: http://lists.gnu.org/archive/html/emacs-orgmode/2017-03/msg00335.html
[2]: https://github.com/raxod502/straight.el
[3]: https://github.com/emacsmirror/org

reply via email to

[Prev in Thread] Current Thread [Next in Thread]