Re: Fetching from the git repositories over https?

Subject: Re: Fetching from the git repositories over https?

Date: Sat, 03 Feb 2018 22:10:52 -0500

To: Adam Plaice,


From: Daniel Kahn Gillmor

Hi Adam--

On Sun 2018-01-28 17:26:08 +0000, Adam Plaice wrote:
> I apologise if I'm asking in the wrong place.
> Is it possible to clone/fetch from the notmuch git repositories
> (particularly over https
> rather than with the `git://' protocol?  (None of the likely
> alternatives seem to work.)

It's currently not possible to do that, but some maintenance work is
underway that might allow us to support it in the future.

I agree with you that https:// is probably a better transport than
git:// in 2018, regardless of what MELPA thinks :)

> Using https would raise the bar, from anybody who can hijack the
> connection between MELPA and, to those who can compromise
> the SSL certificate chain.

Whether we use https or not, MELPA should be relying on signed git tags
from known release managers of the upstream projects.

For notmuch, that would be David Bremner, openpgp key fingerprint

If MELPA is relying only on HTTPS for source integrity, it's vulnerable
to any breakage in the HTTPS security model -- from malicious CAs to
cryptographic attacks against the TLS layer itself.

I agree with you that https:// is preferable to git://, but please
encourage MELPA to take the next step and properly verify the retrieved
source directly via OpenPGP.


signature.asc (application/pgp-signature)
notmuch mailing list