From mboxrd@z Thu Jan  1 00:00:00 1970
From: Radon Rosborough <radon.neon@gmail.com>
Subject: How can I obtain Org via HTTPS?
Date: Sun, 3 Dec 2017 22:46:49 -0800
Message-ID: <CADB4rJFxTWTTPE0AOmKq0fU1TT_tWnDxx+SNFnWbjU4-zocb4w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57902)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <radon.neon@gmail.com>) id 1eLkXM-0003AO-L6
	for Emacs-orgmode@gnu.org; Mon, 04 Dec 2017 01:47:33 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <radon.neon@gmail.com>) id 1eLkXL-0002S1-LH
	for Emacs-orgmode@gnu.org; Mon, 04 Dec 2017 01:47:32 -0500
Received: from mail-lf0-x235.google.com ([2a00:1450:4010:c07::235]:42951)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <radon.neon@gmail.com>)
	id 1eLkXL-0002Ru-CR
	for Emacs-orgmode@gnu.org; Mon, 04 Dec 2017 01:47:31 -0500
Received: by mail-lf0-x235.google.com with SMTP id i2so17844348lfe.9
	for <Emacs-orgmode@gnu.org>; Sun, 03 Dec 2017 22:47:31 -0800 (PST)
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-orgmode/>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
Sender: "Emacs-orgmode"
	<emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org>
To: Emacs-orgmode@gnu.org

Hello all,

It does not appear to be possible to obtain the Git repository for Org
via HTTPS or SSH, only via HTTP. I have checked the manual and
searched the Internet to see if there is a way, but no luck. I only
found an unanswered inquiry from earlier this year [1].

=E2=80=94Why is HTTPS/SSH necessary when Org releases are signed with GPG?
Well, only releases are signed. If you want to clone the development
version of Org, there appears to be no way to verify that it has not
been tampered with, since the clone was using an insecure protocol.

=E2=80=94Why do I care about this?
I maintain the package manager straight.el [2], which installs
packages by cloning their Git repositories. By default, the
development version of a package is installed. It would be
irresponsible to install packages via HTTP, so straight.el is forced
to install Org from the EmacsMirror [3] instead. This makes me
uncomfortable, since I would prefer to install packages from their
authoritative upstream sources=E2=80=94this makes contributing back to thos=
e
packages easier.

Have I missed something? Is it already possible to obtain Org
securely? If not, is making that possible a current goal of the
project? If not, what is the difficulty and can I help?

Best regards,
Radon Rosborough

[1]: http://lists.gnu.org/archive/html/emacs-orgmode/2017-03/msg00335.html
[2]: https://github.com/raxod502/straight.el
[3]: https://github.com/emacsmirror/org