[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: serving ELPA over HTTP/S

From: Stefan Monnier
Subject: Re: serving ELPA over HTTP/S
Date: Mon, 04 May 2015 15:16:01 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

SM> * warn and possibly abort when ELPA transfers are done over HTTP
SM> * offer to switch the "gnu" ELPA archive to https://elpa.gnu.org
SM> Why?
> Because HTTP is worse than HTTP/S as a software delivery channel in
> almost every way.

Better/worse is not sufficient in itself to justify annoying the user.
So the "why" was really saying "why is it a big enough deal"?

SM> * maybe add the GNU ELPA SSL certificate chain explicitly to Emacs
SM> IIUC it's not necessary because that should already be installed on
SM> your system.
> Unfortunately it's not always the case. If we want package installation
> to always work, we should provide a safety net.  But I'm not insisting
> on this, only suggesting it.

Package installation should indeed work even without those
certificate chains.  Either by accepting the "unverified" certificates,
or by falling back to HTTP.

>>> We can switch to an external binary for the data transfer, for instance.
SM> Why bother?
> To provide a fallback.  But I agree that it's better to just ask for GnuTLS.

We already have a fallback to HTTP.  I think it's sufficient.

> OK. Perhaps it's best to simply make it a list instead of a string and
> try each one in sequence.

Why?  Why not just

  (if (we-have-gnutls) <thehttpsurl> <thehttpurl>)

-- Stefan

reply via email to

[Prev in Thread] Current Thread [Next in Thread]