Hi, can someone else comment on this thread? I've listed part of my reasons, not all, my position should be clear.
ng0 <n...@we.make.ritual.n0.is> writes: > ng0 <n...@we.make.ritual.n0.is> writes: > >> Alex Kost <alez...@gmail.com> writes: >> >>> ng0 (2016-08-27 17:20 +0300) wrote: >>> >>>> From d2dfd0fcc34f5cdcb9d181093cffd5af16be6641 Mon Sep 17 00:00:00 2001 >>>> From: ng0 <n...@we.make.ritual.n0.is> >>>> Date: Sat, 27 Aug 2016 13:33:31 +0000 >>>> Subject: [PATCH 1/4] gnu: emacs: Use https for elpa.gnu.org. >>>> >>>> * gnu/packages/emacs.scm: Use 'https' for all elpa.gnu.org urls. >>>> --- >>>> gnu/packages/emacs.scm | 24 ++++++++++++------------ >>>> 1 file changed, 12 insertions(+), 12 deletions(-) >>>> >>>> >>>> diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm >>>> index 4fe9a8a..d1d8af0 100644 >>>> --- a/gnu/packages/emacs.scm >>>> +++ b/gnu/packages/emacs.scm >>>> @@ -652,7 +652,7 @@ programs.") >>>> (version "1.0.4") >>>> (source (origin >>>> (method url-fetch) >>>> - (uri (string-append >>>> "http://elpa.gnu.org/packages/let-alist-"; >>>> + (uri (string-append >>>> "https://elpa.gnu.org/packages/let-alist-"; >>>> version ".el")) >>> >>> FYI 'let-alist' was added by Ludovic, and I think using "http" was >>> intentional. I asked once about "https" vs. "http", and I'm not sure >>> whether these http→https changes are desired: >>> >>> http://lists.gnu.org/archive/html/guix-devel/2015-07/msg00378.html >> >> I share this position although it is a very short statement for a >> complex topic. Using tls in combination with for example the extension >> certificate patrol for firefox based browsers helps to control >> certificates and catch bad ones. >> >> Does hydra pull packages via tor? Is our default tor? No. As long as we >> have no alternative, like the one I work towards to, we should use the >> minimal bit of authenticity tls can provide. > > Adding to this: in some countries, using tor is dangerous, illegal and > the opposition can face severe sentences by the government in charge of > the country. It makes more sense to use tls, even when it is broken, > than to say 'just use tor'. We add security on top of that through hash > and checksums, but having a default of tls is safer in my opinion, for > the moment. > -- > ng0 > For non-prism friendly talk find me on http://www.psyced.org > -- ng0 For non-prism friendly talk find me on http://www.psyced.org
