bug#22883: Trustable "guix pull"

[fluxboks]

Please, for the love of all/any gods!(if any)
Fix this issue :)
For example, you can get this https to work: 
https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
(it doesn't currently)

$ wget https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
--2016-05-15 15:32:15--  
https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
Resolving git.savannah.gnu.org... 208.118.235.72
Connecting to git.savannah.gnu.org|208.118.235.72|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol
Unable to establish SSL connection.

Chromium says:
This site can’t provide a secure connection

git.savannah.gnu.org sent an invalid response.
Learn more about this problem.
ERR_SSL_PROTOCOL_ERROR

This works just fine though: https://savannah.gnu.org/ and 
https://gnu.org/ and https://www.gnu.org/

As a reminder, letsencrypt and startssl are a thing - both provide free 
certs. If that's the issue.

But I presume there must be another reason why there's no https, 
therefore would you please consider hosting it somewhere like github? or 
if github isn't inline with GNU(for whatever reasons, eg. license), then 
surely notabug.org is(according to libreboot which recommends it instead 
of github)! Please, pretty please, consider it. At the very least you 
could host a mirror/clone there(if not make it the permanent home of the 
repo.) and someone(a dev) could push to both without even having two 
remotes(ie. just the origin remote with two push urls is okay); so when 
push-ing, both savannah and notabug would get updated(see below how), 
and thus we(the users) could use the notabug link to get master.tar.gz 
which would then be https.
It would be something like this:
https://https://notabug.org/guixuser/guix/archive/master.tar.gz
(so it's .gz not .xz, is that worse than serving it over plain http?)
I would actually recommend github for increased reliability, but 
whatever! As long as it's not served over http anymore! Or find some way 
of signing it? that's going to be harder than this!

Here's how to have two push refs in the same remote(origin):
Suppose that this
git remove -v show
shows this:
origin  https://github.com/gorhill/uMatrix.git (fetch)
origin  https://github.com/gorhill/uMatrix.git (push)
Then to add another push url to the same origin remote, you'd do:
re-add the already existing push url(from above):
git remote set-url --add --push origin 
https://github.com/gorhill/uMatrix.git
now, this
git remote -v show
would show no changes!
and now add the new one:
git remote set-url --add --push origin 
address@hidden:somethingelse/uMatrix.git
and now, this
git remote -v show
would show:
origin  https://github.com/gorhill/uMatrix.git (fetch)
origin  https://github.com/gorhill/uMatrix.git (push)
origin  address@hidden:somethingelse/uMatrix.git (push)

So when you do 'git push', it will push to both (so it will prompt for 
your ssh key password twice).

Of course for you the 'https://' urls from above would be 'git@' 
instead! (they just happen to be https for me, since I don't have push 
access)

I want to be honest here: this bug is a show stopper for me! It makes me 
draw certain unfavorable conclusions about the mentality and seriousness 
of the guix project devs. I wish it wouldn't, but really can you blame 
me? I want to use guix but not until something's done about this so that 
MITM is unlikely to happen here. At the very least let me pull this over 
https, please!

If you use notabug.org then not only we(the users) can get/clone the git 
repo over https, but we can also get/clone it over ssh! (instead of over 
just plain git://). So that'd be two rabbits in one shot!

Please let me know if anything is going to be done about this, so that I 
would know what to do next: wait or move on. No hard feels. Presumably 
any direct answer would be better than no answer, so that I would know 
what to do, rather than waste time waiting for an answer...
Thank you and I appreciate your time in reading all this!

-signed, an idiot. ;-) #whohasselfesteemamirite