guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnu: emacs: Use https for elpa.gnu.org

From: ng0
Subject: Re: [PATCH] gnu: emacs: Use https for elpa.gnu.org
Date: Tue, 30 Aug 2016 12:22:01 +0000 
ng0 <address@hidden> writes:

> Alex Kost <address@hidden> writes:
>
>> ng0 (2016-08-27 17:20 +0300) wrote:
>>
>>> From d2dfd0fcc34f5cdcb9d181093cffd5af16be6641 Mon Sep 17 00:00:00 2001
>>> From: ng0 <address@hidden>
>>> Date: Sat, 27 Aug 2016 13:33:31 +0000
>>> Subject: [PATCH 1/4] gnu: emacs: Use https for elpa.gnu.org.
>>>
>>> * gnu/packages/emacs.scm: Use 'https' for all elpa.gnu.org urls.
>>> ---
>>>  gnu/packages/emacs.scm | 24 ++++++++++++------------
>>>  1 file changed, 12 insertions(+), 12 deletions(-)
>>>
>>>
>>> diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
>>> index 4fe9a8a..d1d8af0 100644
>>> --- a/gnu/packages/emacs.scm
>>> +++ b/gnu/packages/emacs.scm
>>> @@ -652,7 +652,7 @@ programs.")
>>>      (version "1.0.4")
>>>      (source (origin
>>>                (method url-fetch)
>>> -              (uri (string-append "http://elpa.gnu.org/packages/let-alist-";
>>> +              (uri (string-append 
>>> "https://elpa.gnu.org/packages/let-alist-";
>>>                                    version ".el"))
>>
>> FYI 'let-alist' was added by Ludovic, and I think using "http" was
>> intentional.  I asked once about "https" vs. "http", and I'm not sure
>> whether these http→https changes are desired:
>>
>> http://lists.gnu.org/archive/html/guix-devel/2015-07/msg00378.html
>
> I share this position although it is a very short statement for a
> complex topic. Using tls in combination with for example the extension
> certificate patrol for firefox based browsers helps to control
> certificates and catch bad ones.
>
> Does hydra pull packages via tor? Is our default tor? No. As long as we
> have no alternative, like the one I work towards to, we should use the
> minimal bit of authenticity tls can provide.

Adding to this: in some countries, using tor is dangerous, illegal and
the opposition can face severe sentences by the government in charge of
the country. It makes more sense to use tls, even when it is broken,
than to say 'just use tor'. We add security on top of that through hash
and checksums, but having a default of tls is safer in my opinion, for
the moment.
-- 
ng0
For non-prism friendly talk find me on http://www.psyced.org
reply via email to
[Prev in Thread] Current Thread [Next in Thread]