[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Enforcing TLS for GNU ELPA
|
From: |
Jean Louis |
|
Subject: |
Re: Enforcing TLS for GNU ELPA |
|
Date: |
Tue, 20 Oct 2020 12:05:34 +0300 |
|
User-agent: |
Mutt/+ (1036f0e) (2020-10-18) |
* Vasilij Schneidermann <mail@vasilij.de> [2020-10-20 01:11]:
> Some time ago I've contributed a change to a certain package
> repository's webserver setup that responds to http:// requests with a
> 301 redirect to the https:// version. Should the same be done for GNU
> ELPA? Why/why not?
>
> Some data points for the "why not" faction I've discovered after that
> change:
>
> - There's still Windows users who do not have an installation with the
> gnutls libraries, despite the strong suggestion to download it for the
> full experience.
I would say, sorry, there is no access to Emacs supported packages. If
they want without signing, they can find out configuration option.
> - Emacs versions below 26.1 are affected by a HTTPS proxy bug [1] that
> makes life in corporate environments hard.
I would say sorry for that, and would push security.
Administrator in corporate environment can provide all allowed or by
corporation approved packages to each user, either by making general
settings on a single computer, or by entering defaults in
/etc/skel/.emacs.d/elpa/you-name-it
Majority of GNU/Linux distributions already have Emacs packages inside
of distribution. Some of them have more than few hundred packages.
In that sense, corporate environment is not a problem as BOFH can do
it for its users.
> - The initializer of `package-archives` already generates the
> appropriate URL, so this will affect people who have redefined that
> variable and break their setup for no reason.
There is reason of security, it could be announced in new Emacs
version. Provided it is done.