Alex Kost <alez...@gmail.com> writes: > ng0 (2016-08-27 17:20 +0300) wrote: > >> From d2dfd0fcc34f5cdcb9d181093cffd5af16be6641 Mon Sep 17 00:00:00 2001 >> From: ng0 <n...@we.make.ritual.n0.is> >> Date: Sat, 27 Aug 2016 13:33:31 +0000 >> Subject: [PATCH 1/4] gnu: emacs: Use https for elpa.gnu.org. >> >> * gnu/packages/emacs.scm: Use 'https' for all elpa.gnu.org urls. >> --- >> gnu/packages/emacs.scm | 24 ++++++++++++------------ >> 1 file changed, 12 insertions(+), 12 deletions(-) >> >> >> diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm >> index 4fe9a8a..d1d8af0 100644 >> --- a/gnu/packages/emacs.scm >> +++ b/gnu/packages/emacs.scm >> @@ -652,7 +652,7 @@ programs.") >> (version "1.0.4") >> (source (origin >> (method url-fetch) >> - (uri (string-append "http://elpa.gnu.org/packages/let-alist-"; >> + (uri (string-append "https://elpa.gnu.org/packages/let-alist-"; >> version ".el")) > > FYI 'let-alist' was added by Ludovic, and I think using "http" was > intentional. I asked once about "https" vs. "http", and I'm not sure > whether these http→https changes are desired: > > http://lists.gnu.org/archive/html/guix-devel/2015-07/msg00378.html
I share this position although it is a very short statement for a complex topic. Using tls in combination with for example the extension certificate patrol for firefox based browsers helps to control certificates and catch bad ones. Does hydra pull packages via tor? Is our default tor? No. As long as we have no alternative, like the one I work towards to, we should use the minimal bit of authenticity tls can provide. -- ng0 For non-prism friendly talk find me on http://www.psyced.org
