bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package

From:	Robert Pluim
Subject:	bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package
Date:	Tue, 17 Sep 2019 15:34:04 +0200

>>>>> On Mon, 16 Sep 2019 21:13:13 +0200, Stefan Kangas <stefan@marxist.se> 
>>>>> said:

    Stefan> Eli Zaretskii <eliz@gnu.org> writes:
    >> > How about also adding a recommendation to use https, as far as
    >> > possible, for package archives?  I guess that could be added to both
    >> > the doc string of package-archives and possibly also the manual.  That
    >> > would help security and avoid issues such as these.
    >> 
    >> I'd leave this out of the manual.  Doc string should be enough.

    Stefan> Thanks.  How about the attached patch?

Nits below

    Stefan> Best regards,
    Stefan> Stefan Kangas

    Stefan> From afc49ccd4e3e593f1f2dfffbdd6e457132efa9cd Mon Sep 17 00:00:00 
2001
    Stefan> From: Stefan Kangas <stefankangas@gmail.com>
    Stefan> Date: Mon, 16 Sep 2019 21:09:32 +0200
    Stefan> Subject: [PATCH] Recommend https for package-archives

    Stefan> * lisp/emacs-lisp/package.el (package-archives): Doc fix to 
recommend
    Stefan> using https sources instead of http where possible.
    Stefan> (Bug#33825)

"Recommend using https..." is shorter and more direct.

    Stefan> ---
    Stefan>  lisp/emacs-lisp/package.el | 5 ++++-
    Stefan>  1 file changed, 4 insertions(+), 1 deletion(-)

    Stefan> diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
    Stefan> index ef0c5171de..69c4427e0a 100644
    Stefan> --- a/lisp/emacs-lisp/package.el
    Stefan> +++ b/lisp/emacs-lisp/package.el
    Stefan> @@ -214,7 +214,10 @@ package-archives
    Stefan>    (Other types of URL are currently not supported.)
 
    Stefan>  Only add locations that you trust, since fetching and installing
    Stefan> -a package can run arbitrary code."
    Stefan> +a package can run arbitrary code.
    Stefan> +
    Stefan> +It is advisable to prefer HTTPS URLs over HTTP URLs where
    Stefan> +possible, for improved security and stability."

Similarly: "HTTPS URLs should be used where possible, as they offer
superior security."

"stability" is not really something you can define, so probably better
not to mention it..

Robert

[Prev in Thread]

Current Thread

[Next in Thread]

bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package, Stefan Kangas, 2019/09/13
- bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package, Robert Pluim, 2019/09/16
  - bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package, Stefan Kangas, 2019/09/16
    - bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package, Robert Pluim, 2019/09/16
    - bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package, Eli Zaretskii, 2019/09/16
    - bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package, Stefan Kangas, 2019/09/16
    - bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package, Robert Pluim <=
    - bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package, Stefan Kangas, 2019/09/20

Prev by Date: bug#36198: [PATCH] Update ipa-praat.el to match more recent versions of Praat
Next by Date: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications
Previous by thread: bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package
Next by thread: bug#33825: 25.2; , Failing to verify signature for ELPA debbugs package
Index(es):
- Date
- Thread