GNU bug report logs - #33825
25.2; Failing to verify signature for ELPA debbugs package

Previous Next

Package: emacs;

Reported by: clemera <clemens.radermacher <at> posteo.de>

Date: Fri, 21 Dec 2018 16:22:01 UTC

Severity: normal

Tags: patch

Found in version 25.2

Done: Stefan Kangas <stefan <at> marxist.se>

Bug is archived. No further changes may be made.

Full log

Message #43 received at 33825 <at> debbugs.gnu.org (full text, mbox):

From: Robert Pluim <rpluim <at> gmail.com>
To: Stefan Kangas <stefan <at> marxist.se>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 33825 <at> debbugs.gnu.org,
 Clemens Radermacher <clemens.radermacher <at> posteo.de>
Subject: Re: bug#33825: 25.2; , Failing to verify signature for ELPA debbugs
 package
Date: Tue, 17 Sep 2019 15:34:04 +0200

>>>>> On Mon, 16 Sep 2019 21:13:13 +0200, Stefan Kangas <stefan <at> marxist.se> said:

    Stefan> Eli Zaretskii <eliz <at> gnu.org> writes:
    >> > How about also adding a recommendation to use https, as far as
    >> > possible, for package archives?  I guess that could be added to both
    >> > the doc string of package-archives and possibly also the manual.  That
    >> > would help security and avoid issues such as these.
    >> 
    >> I'd leave this out of the manual.  Doc string should be enough.

    Stefan> Thanks.  How about the attached patch?

Nits below

    Stefan> Best regards,
    Stefan> Stefan Kangas

    Stefan> From afc49ccd4e3e593f1f2dfffbdd6e457132efa9cd Mon Sep 17 00:00:00 2001
    Stefan> From: Stefan Kangas <stefankangas <at> gmail.com>
    Stefan> Date: Mon, 16 Sep 2019 21:09:32 +0200
    Stefan> Subject: [PATCH] Recommend https for package-archives

    Stefan> * lisp/emacs-lisp/package.el (package-archives): Doc fix to recommend
    Stefan> using https sources instead of http where possible.
    Stefan> (Bug#33825)

"Recommend using https..." is shorter and more direct.

    Stefan> ---
    Stefan>  lisp/emacs-lisp/package.el | 5 ++++-
    Stefan>  1 file changed, 4 insertions(+), 1 deletion(-)

    Stefan> diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
    Stefan> index ef0c5171de..69c4427e0a 100644
    Stefan> --- a/lisp/emacs-lisp/package.el
    Stefan> +++ b/lisp/emacs-lisp/package.el
    Stefan> @@ -214,7 +214,10 @@ package-archives
    Stefan>    (Other types of URL are currently not supported.)
 
    Stefan>  Only add locations that you trust, since fetching and installing
    Stefan> -a package can run arbitrary code."
    Stefan> +a package can run arbitrary code.
    Stefan> +
    Stefan> +It is advisable to prefer HTTPS URLs over HTTP URLs where
    Stefan> +possible, for improved security and stability."

Similarly: "HTTPS URLs should be used where possible, as they offer
superior security."

"stability" is not really something you can define, so probably better
not to mention it..

Robert
This bug report was last modified 5 years and 242 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.