GNU bug report logs - #21382
[PATCH] Use HTTPS for package repo URLs

Previous Next

Package: emacs;

Reported by: Francois Marier <francois <at> fmarier.org>

Date: Mon, 31 Aug 2015 00:22:01 UTC

Severity: wishlist

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 21382 in the body.
You can then email your comments to 21382 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#21382; Package emacs. (Mon, 31 Aug 2015 00:22:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Francois Marier <francois <at> fmarier.org>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Mon, 31 Aug 2015 00:22:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Francois Marier <francois <at> fmarier.org>
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Use HTTPS for package repo URLs
Date: Sun, 30 Aug 2015 12:56:37 -0700

[Message part 1 (text/plain, inline)]
In order to avoid having users pull emacs packages over HTTP (where they can
be intercepted and modified by network attackers), I have changed the
default URLs for the package repositories to use HTTPS.

The first patch is a change to the default config for elpa.gnu.org and the
second patch updates the manual and FAQ to use HTTPS URLs in its examples.

This is my first patch to emacs and while I have read the CONTRIBUTE file,
it's quite possible I've missed something so feel free to let me know if
there's any changes you'd like me to do to the formatting of the patches or
commit messages.

Francois

-- 
http://fmarier.org/

[0001-Use-HTTPS-when-talking-to-elpa.gnu.org.patch (text/x-diff, attachment)]
[0002-Use-HTTPS-for-package-repo-URLs.patch (text/x-diff, attachment)]
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#21382; Package emacs. (Mon, 31 Aug 2015 16:03:01 GMT) Full text and rfc822 format available.

Message #8 received at 21382 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Francois Marier <francois <at> fmarier.org>
Cc: 21382 <at> debbugs.gnu.org
Subject: Re: bug#21382: [PATCH] Use HTTPS for package repo URLs
Date: Mon, 31 Aug 2015 12:02:09 -0400

Hi,

Francois Marier wrote:

> In order to avoid having users pull emacs packages over HTTP (where they can
> be intercepted and modified by network attackers),

elpa.gnu.org packages are gpg signed, which should prevent such modification.

> I have changed the default URLs for the package repositories to use HTTPS.

Thanks for the patch, but more is needed than just unconditionally
changing http to https. See discussion in

http://lists.gnu.org/archive/html/emacs-devel/2015-05/msg00110.html
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#21382; Package emacs. (Thu, 05 Nov 2015 19:37:01 GMT) Full text and rfc822 format available.

Message #11 received at 21382 <at> debbugs.gnu.org (full text, mbox):

From: Ted Zlatanov <tzz <at> lifelogs.com>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 21382 <at> debbugs.gnu.org, Francois Marier <francois <at> fmarier.org>
Subject: Re: bug#21382: [PATCH] Use HTTPS for package repo URLs
Date: Thu, 05 Nov 2015 14:36:42 -0500

On Mon, 31 Aug 2015 12:02:09 -0400 Glenn Morris <rgm <at> gnu.org> wrote: 

GM> Francois Marier wrote:

>> In order to avoid having users pull emacs packages over HTTP (where they can
>> be intercepted and modified by network attackers),
...
>> I have changed the default URLs for the package repositories to use HTTPS.

GM> Thanks for the patch, but more is needed than just unconditionally
GM> changing http to https. See discussion in

GM> http://lists.gnu.org/archive/html/emacs-devel/2015-05/msg00110.html

Francois, would you be interested in leading the work on those items?
I'll assist any way I can but I am unable to do it myself.

Ted
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#21382; Package emacs. (Tue, 25 Jun 2019 15:50:02 GMT) Full text and rfc822 format available.

Message #14 received at 21382 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Francois Marier <francois <at> fmarier.org>
Cc: 21382 <at> debbugs.gnu.org
Subject: Re: bug#21382: [PATCH] Use HTTPS for package repo URLs
Date: Tue, 25 Jun 2019 17:49:37 +0200

Francois Marier <francois <at> fmarier.org> writes:

> In order to avoid having users pull emacs packages over HTTP (where they can
> be intercepted and modified by network attackers), I have changed the
> default URLs for the package repositories to use HTTPS.

This seems to have been fixed sometimes after this bug report, so I'm
closing it.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
bug closed, send any further explanations to 21382 <at> debbugs.gnu.org and Francois Marier <francois <at> fmarier.org> Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Tue, 25 Jun 2019 15:50:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 24 Jul 2019 11:24:11 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 277 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.