Re: serving ELPA over HTTP/S

[Stefan Monnier]

> I listed several items; do you think none of those are required?

Let's see:

* set the defaults and docs to point to https://elpa.gnu.org

Yes, that's the crux of the matter, and the only part I discussed in my
previous message.

* warn and possibly abort when ELPA transfers are done over HTTP

Why?

* offer to switch the "gnu" ELPA archive to https://elpa.gnu.org

Why?

* test on all platforms

Tests are good, but in most cases we rely on early users to test.

* maybe add the GNU ELPA SSL certificate chain explicitly to Emacs

IIUC it's not necessary because that should already be installed on
your system.

SM> not very much.  You just need to make sure it still works when the
SM> running Emacs does not support TLS.
> Define "it works."

You can still install packages via package.el.

> We can switch to an external binary for the data transfer, for instance.

Why bother?

> But is that better than asking the user to enable the GnuTLS integration?

I don't think so.

> On what supported platforms is it simply not possible?  I don't know.

I don't think it matters.

> Are those platforms worth exposing our users to the drawbacks of
> installing packages over HTTP?

I don't think those drawbacks are so terrible.
But, yes, by all means, do try and change package-archives to default to
using https when that works.


        Stefan