[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: serving ELPA over HTTP/S
From: |
Ted Zlatanov |
Subject: |
Re: serving ELPA over HTTP/S |
Date: |
Mon, 04 May 2015 12:01:42 -0400 |
User-agent: |
Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) |
On Mon, 04 May 2015 11:41:09 -0400 Stefan Monnier <address@hidden> wrote:
>> I listed several items; do you think none of those are required?
SM> Let's see:
SM> * set the defaults and docs to point to https://elpa.gnu.org
SM> Yes, that's the crux of the matter, and the only part I discussed in my
SM> previous message.
SM> * warn and possibly abort when ELPA transfers are done over HTTP
SM> * offer to switch the "gnu" ELPA archive to https://elpa.gnu.org
SM> Why?
Because HTTP is worse than HTTP/S as a software delivery channel in
almost every way.
SM> * maybe add the GNU ELPA SSL certificate chain explicitly to Emacs
SM> IIUC it's not necessary because that should already be installed on
SM> your system.
Unfortunately it's not always the case. If we want package installation
to always work, we should provide a safety net. But I'm not insisting
on this, only suggesting it.
>> We can switch to an external binary for the data transfer, for instance.
SM> Why bother?
To provide a fallback. But I agree that it's better to just ask for GnuTLS.
>> Are those platforms worth exposing our users to the drawbacks of
>> installing packages over HTTP?
SM> I don't think those drawbacks are so terrible.
OK, let's say they are enough to justify some concern. So we should
express that concern through warnings.
SM> But, yes, by all means, do try and change package-archives to default to
SM> using https when that works.
OK. Perhaps it's best to simply make it a list instead of a string and
try each one in sequence. That would also allow `package-archives' to
support "dumb" failover natively, a nice side benefit!
The change will be from:
LOCATION specifies the base location for the archive.
If it starts with "http:", it is treated as a HTTP URL;
otherwise it should be an absolute directory name.
(Other types of URL are currently not supported.)
to:
LOCATION specifies the base location for the archive.
If it starts with "http:" or "https:", it is treated as a HTTP URL;
otherwise it should be an absolute directory name.
(Other types of URL are currently not supported.)
If LOCATION is a list, each element is attempted as a URL sequentially.
And change the default to
(("gnu" "https://elpa.gnu.org/packages/" "http://elpa.gnu.org/packages/"))
That would annoy but not break users that don't have GnuTLS available.
Sounds good?
Ted
- serving ELPA over HTTP/S, Ted Zlatanov, 2015/05/04
- Re: serving ELPA over HTTP/S, Stefan Monnier, 2015/05/04
- Re: serving ELPA over HTTP/S, Ted Zlatanov, 2015/05/04
- Re: serving ELPA over HTTP/S, Stefan Monnier, 2015/05/04
- Re: serving ELPA over HTTP/S,
Ted Zlatanov <=
- Re: serving ELPA over HTTP/S, Ivan Shmakov, 2015/05/04
- Re: serving ELPA over HTTP/S, Stefan Monnier, 2015/05/04
- Re: serving ELPA over HTTP/S, Ted Zlatanov, 2015/05/04
- Re: serving ELPA over HTTP/S, Stefan Monnier, 2015/05/05
- Re: serving ELPA over HTTP/S, Ted Zlatanov, 2015/05/05
- Re: serving ELPA over HTTP/S, Artur Malabarba, 2015/05/05
- Re: serving ELPA over HTTP/S, Stefan Monnier, 2015/05/05
Re: serving ELPA over HTTP/S, Artur Malabarba, 2015/05/04