start refusing to pull packages from unauthenticated upstreams

[glyph]

A number of recipes retrieve code using either http:// or git:// transports; these should not be allowed.

My understanding is that typing make in the melpa repository is what does the actual building of packages, so it would be melpa doing the package signing when #1749 is implemented. If my understanding is correct, I think it would be irresponsible to codesign a package that was just some code automatically scraped off of a wiki.

[alphapapa]

Where do signed git tags/commits figure into this? They're very easy to use.

Of course, if the GPG key is not fetched securely, and/or if it's not signed by a known trustworthy key, it's not technically authenticated (cf. Debian's key-signing parties). But it would still be nice to have support for it. And if MELPA stored the already-fetched GPG keys on its server, it could detect if a signing key changed, and it could refuse to build signed packages if they were signed by a different key, or unsigned packages if their previous releases were signed.

This would be a nice step in the right direction. HTTPS/TLS is nice, but it's not a panacea, and it doesn't protect against something like GitHub being compromised.

[glyph]

Where do signed git tags/commits figure into this?

Git signatures rely on sha1, which has been more or less completely compromised by Google this year, so they don't provide a strong guarantee of authenticity either. Probably not worth bothering with. (There's also the fact that commit-signing is not itself more meaningful than "this came from this repository" unless the signer verifies the contents of every file, since the parent commit was not itself signed.)

They're very easy to use.

Disagree. GPG's web of trust is so confusing that, as far as I know, there are no crypto experts who believe they can use it without serious preparation. Unfortunately, the mode that makes the most sense for using GPG is when one is verifying a signature that can only have come from one key (like debian / apt signatures).

[glyph]

... it doesn't protect against something like GitHub being compromised ...

Provider-independent security is always a good goal, but let's not try to build rocketships before we can even crawl. This ticket is about beginning to refuse to pull from package sources that are entirely unauthenticated, and it's been open for almost 2 years. Let's please have MELPA do that before getting off into the crypto-utopian weeds with peer-to-peer signatures.

[alphapapa]

Git signatures rely on sha1, which has been more or less completely compromised by Google this year, so they don't provide a strong guarantee of authenticity either. Probably not worth bothering with.

I'm not sure I understand what you mean.

1. Git commits are referenced by SHA1 hashes, but signed git tags are PGP signatures, which have not been compromised.
2. IIUC, the Google PoC is neat, but doesn't mean that SHA1 has been universally compromised. It took about a year of real-time on one of their huge clusters and allowed them to produce a collision in a PDF. It points to SHA1 being broken someday, but it's not universally so now. IIUC, even MD5 isn't broken in that way, as there is no feasible preimage attack. (I am far from a crypto expert, but I just googled around a bit to refresh my memory. Please correct me if I'm wrong.)
3. AFAIK the git project is working on upgrading to at least SHA256. When that is completed, the hashes signed by PGP in signed tags will be even more resistant.

So, signed git tags are useful for authenticity now and should remain so in the future.

(There's also the fact that commit-signing is not itself more meaningful than "this came from this repository" unless the signer verifies the contents of every file, since the parent commit was not itself signed.)

Not sure what you mean here either. Git inherently provides resistance to change detection, as an author who tried to push a commit to a sabotaged repo would get a push failure since his commit would not be a child of the altered commit. When a committer signs a tag, it effectively signs both that commit and the whole chain of parent commits.

We assume that an author would not hard-reset his own repo to a sabotaged remote ref, then sign and push his own commit on top of that, just as we assume that an author will not give out his SSH key passphrase, etc. The threats being protected against are MITM attacks and attacks on the author's git repos, e.g. on GitHub's file servers.

Disagree. GPG's web of trust is so confusing that, as far as I know, there are no crypto experts who believe they can use it without serious preparation. Unfortunately, the mode that makes the most sense for using GPG is when one is verifying a signature that can only have come from one key (like debian / apt signatures).

What I mean is that they are easy to use for the signer: just run git tag -s, type in your passphrase, and push.

Provider-independent security is always a good goal, but let's not try to build rocketships before we can even crawl. This ticket is about beginning to refuse to pull from package sources that are entirely unauthenticated, and it's been open for almost 2 years. Let's please have MELPA do that before getting off into the crypto-utopian weeds with peer-to-peer signatures.

For MELPA, it should be as simple as adding each author's PGP key to the MELPA keyring when their first recipe is accepted, then automatically verifying the signature on each recipe's git tags. That's very straightforward, and it provides provider-independent security.

[aplaice]

1. Git commits are referenced by SHA1 hashes, but signed git tags are PGP signatures, which have not been compromised.

If I understand git's signing of tags (and commits) correctly, the problem is that when signing a tag, what you're signing is the SHA1 hash of the given commit, with some metadata (dates, name of tagger, message), not the underlying source code. Hence, if an attacker manages to produce a commit with the same SHA1 hash as a commit by the original author, then a signed tag won't protect you.

(Signed tags will protect you, assuming that SHA1 is not completely broken, from a MITM attack or a rogue party having write access to the repository.)

Disclaimer: IANAC

[alphapapa]

what you're signing is the SHA1 hash of the given commit, with some metadata (dates, name of tagger, message), not the underlying source code.

A commit hash is a hash of the entire tree at that commit, which includes hashes of all the files. That's how git knows if a file is changed. That's the whole point. A signed tag testifies that the commit hash was signed by the author's PGP key.

Hence, if an attacker manages to produce a commit with the same SHA1 hash as a commit by the original author, then a signed tag won't protect you.

As I said, there is no SHA1 preimage attack; there's not even an MD5 preimage attack yet. Google's SHA1 attack took like 100 years of GPU time and produced a collision in a specially crafted PDF. SHA1 is not broken in this way and it's a long ways from being so.

Signed git tags would go a long way toward protecting MELPA, at least for the packages whose authors are willing to use them.

[aplaice]

A commit hash is a hash of the entire tree at that commit, which includes hashes of all the files. That's how git knows if a file is changed. That's the whole point. A signed tag testifies that the commit hash was signed by the author's PGP key.

I'm derailing the discussion, but the point is that the commit object (whose hash is the commit hash) contains the hash of the tree object and the parent commit (plus metadata). The tree object, in turn contains, as you wrote, the hashes of all the files, plus their sizes. As a result, if hypothetically someone manages to produce a file which has the same SHA1 hash, and the same size, as a file in the original repository (or ideally in the latest commit that hasn't yet been fetched by MELPA), then the "tree hash" and consequently the commit hash will be the same, so the signature will still be valid.

Obviously there's a huge jump between producing a set of pairs of PDFs that collide, in a year, to a preimage attack (actually more, since we need the sizes to match) within the four hours between successive MELPA rebuilds, but the original assertion, that I was defending, that "Git signatures [...] don't provide a strong guarantee of authenticity either" is more-or-less true.

(Again, this is not to say that git signatures wouldn't be nice to have, anyway, in an ideal world.)

In any case, the topic of implementing a web of trust, using author-signed commits etc. should probably be in a separate issue.

[alphapapa]

but the original assertion, that I was defending, that "Git signatures [...] don't provide a strong guarantee of authenticity either" is more-or-less true.

This is the crux of the issue. And, no--with respect--I think you are completely wrong. They currently do provide a strong guarantee of authenticity. In order to break that guarantee, either PGP or SHA1 would have to be broken. Neither of them are broken, nor are either of them close to being broken.

Remember, it's effectively the same system Debian has used for years: hash packages with MD5/SHA1 (and now SHA256 as well) and PGP-sign the hashes. It's very secure--practically as secure as you can get. If it's good enough for Debian, it's good enough for MELPA. ;)

[aplaice]

On the topic of https, I think that these are the packages that are fetched unauthenticated (40 in total):

Package	fetcher	URL
color-theme	bzr	http://bzr.savannah.gnu.org/r/color-theme/trunk
sml-modeline	bzr	lp:~nxhtml/nxhtml/main
debian-changelog-mode	cvs	:pserver:anonymous@cvs.alioth.debian.org:/cvs/pkg-goodies-el
debian-bug	cvs	:pserver:anonymous@cvs.alioth.debian.org:/cvs/pkg-goodies-el
w3m	cvs	:pserver:anonymous@cvs.namazu.org:/storage/cvsroot
shimbun	cvs	:pserver:anonymous@cvs.namazu.org:/storage/cvsroot
tex-smart-umlauts	darcs	http://hub.darcs.net/lyro/tex-smart-umlauts
darcsum	darcs	http://hub.darcs.net/simon/darcsum
zeitgeist	git	git://anongit.freedesktop.org/zeitgeist/zeitgeist-datasources
fuel	git	git://factorcode.org/git/factor.git
jabber	git	git://git.code.sf.net/p/emacs-jabber/git
jtags	git	git://git.code.sf.net/p/jtags/code
log4j-mode	git	git://git.code.sf.net/p/log4j-mode/code
matlab-mode	git	git://git.code.sf.net/p/matlab-emacs/src
speechd-el	git	git://git.freebsoft.org/git/speechd-el
notmuch	git	git://git.notmuchmail.org/git/notmuch
howm	git	git://git.osdn.jp/gitroot/howm/howm.git
po-mode	git	git://git.savannah.gnu.org/gettext.git
bbdb	git	git://git.savannah.nongnu.org/bbdb.git
stumpwm-mode	git	git://git.savannah.nongnu.org/stumpwm.git
emms	git	git://git.sv.gnu.org/emms.git
eide	git	git://git.tuxfamily.org/gitroot/eide/emacs-ide.git
deft	git	git://jblevins.org/git/deft.git
org-mac-link	git	git://orgmode.org/org-mode.git
org-mac-iCal	git	git://orgmode.org/org-mode.git
stgit	git	git://repo.or.cz/stgit.git
password-store	git	http://git.zx2c4.com/password-store
llvm-mode	git	http://llvm.org/git/llvm
paredit	git	http://mumble.net/~campbell/git/paredit.git
anything	git	http://repo.or.cz/r/anything-config.git
org-fstree	git	http://repo.or.cz/r/org-fstree.git
undo-tree	git	http://www.dr-qubit.org/git/undo-tree.git
redshank	git	http://www.foldr.org/~michaelw/projects/redshank.git
cg	svn	http://beta.visl.sdu.dk/svn/visl/tools/vislcg3/trunk/emacs
caml	svn	http://caml.inria.fr/svn/ocaml/trunk/emacs/
clang-format	svn	http://llvm.org/svn/llvm-project/cfe/trunk/tools/clang-format
dsvn	svn	http://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/emacs/
dic-lookup-w3m	svn	http://svn.osdn.jp/svnroot/dic-lookup-w3m/
ruby-electric	svn	http://svn.ruby-lang.org/repos/ruby/trunk/misc/
ruby-additional	svn	http://svn.ruby-lang.org/repos/ruby/trunk/misc/

The two most popular (I think) are undo-tree and notmuch. Neither allows cloning via https (in the case of notmuch it's weird, as they have a valid certificate for the domain, but they just don't seem to support https as a protocol for git), but both do have tags that are signed. Perhaps, verifying the signature of tags could potentially be used as a supplement for requiring https (i.e. either require https or tags signed by authors).

[alphapapa]

@aplaice Thanks for putting that info together!

[aplaice]

It seems that, actually, quite a few of these repositories do now support https, even if they didn't when the recipes were written. 13 need just a change of protocol and 4 also needed a slight adjustment of the URL (in the case of savannah — e.g. git://git.savannah.gnu.org/gettext.git -> https://git.savannah.gnu.org/git/gettext.git ). Full table of changes needed, below:

Package	fetcher	Original URL	New URL
po-mode	git	git://git.savannah.gnu.org/gettext.git	https://git.savannah.gnu.org/git/gettext.git
bbdb	git	git://git.savannah.nongnu.org/bbdb.git	https://git.savannah.nongnu.org/git/bbdb.git
stumpwm-mode	git	git://git.savannah.nongnu.org/stumpwm.git	https://git.savannah.nongnu.org/git/stumpwm.git
emms	git	git://git.sv.gnu.org/emms.git	https://git.savannah.gnu.org/git/emms.git
color-theme	bzr	http://bzr.savannah.gnu.org/r/color-theme/trunk	https://bzr.savannah.gnu.org/r/color-theme/trunk
jabber	git	git://git.code.sf.net/p/emacs-jabber/git	https://git.code.sf.net/p/emacs-jabber/git
jtags	git	git://git.code.sf.net/p/jtags/code	https://git.code.sf.net/p/jtags/code
log4j-mode	git	git://git.code.sf.net/p/log4j-mode/code	https://git.code.sf.net/p/log4j-mode/code
matlab-mode	git	git://git.code.sf.net/p/matlab-emacs/src	https://git.code.sf.net/p/matlab-emacs/src
password-store	git	http://git.zx2c4.com/password-store	https://git.zx2c4.com/password-store
paredit	git	http://mumble.net/~campbell/git/paredit.git	https://mumble.net/~campbell/git/paredit.git
cg	svn	http://beta.visl.sdu.dk/svn/visl/tools/vislcg3/trunk/emacs	https://beta.visl.sdu.dk/svn/visl/tools/vislcg3/trunk/emacs
caml	svn	http://caml.inria.fr/svn/ocaml/trunk/emacs/	https://caml.inria.fr/svn/ocaml/trunk/emacs/
dsvn	svn	http://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/emacs/	https://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/emacs/
dic-lookup-w3m	svn	http://svn.osdn.jp/svnroot/dic-lookup-w3m/	https://svn.osdn.jp/svnroot/dic-lookup-w3m/
ruby-electric	svn	http://svn.ruby-lang.org/repos/ruby/trunk/misc/	https://svn.ruby-lang.org/repos/ruby/trunk/misc/
ruby-additional	svn	http://svn.ruby-lang.org/repos/ruby/trunk/misc/	https://svn.ruby-lang.org/repos/ruby/trunk/misc/

Testing on Ubuntu 16.04, all of these can be cloned (or branched/checked out) with the relevant commands.

For the remaining repositories, the fact that I was unable to find a way to fetch in an authenticated way does not mean that it's not possible. In the case of sml-modeline I'm not sure whether the custom lp: (launchpad) protocol is authenticated (according to the docs it's equivalent to using bzr+ssh:// which I think, by analogy with git, is not authenticated unless you already have the relevant ssh key). It is possible to replace the lp: url with one using https ( lp:~nxhtml/nxhtml/main -> https://code.launchpad.net/~nxhtml/nxhtml/main).

To the MELPA maintainers: I have not tested whether the packages would actually build, though I have no reason to believe they would not. Should I patch the recipes and send a pull request?

[purcell]

To the MELPA maintainers: I have not tested whether the packages would actually build, though I have no reason to believe they would not. Should I patch the recipes and send a pull request?

@aplaice Yes please! Thanks for digging into this. Let's keep the lp: URLs as-is for now.

[aplaice]

@purcell I've sent a pull request. I could break this up into several pieces, for ease of reversion, if need be, but the packages seem to build and install cleanly, locally.

[alphapapa]

Sorry for the noise, just realized that I need to update emacs-w3m for Emacs 25 (the version packaged in Ubuntu Trusty isn't working with it, and eww is nice but doesn't handle some pages well in comparison), and so I just realized that this package is pulled over unauthenticated CVS. I'm not sure how significant this package is to some, but to me it's very significant as it seems to be the best browser for Emacs. It currently has over 44,000 downloads from MELPA.

I see some mirrors of the CVS repo on GitHub, but, assuming they pull automatically from CVS, using them for MELPA wouldn't increase security.

Ideally we could convince the author of w3m to switch to Git, but I'm assuming that he's still using CVS for a reason... :/

[joewreschnig]

Some more domains have got HTTPS, and some others have official GitHub mirrors:

Package	fetcher	New URL
clang-format	svn	https://llvm.org/svn/llvm-project/cfe/trunk/tools/clang-format
darcsum	darcs	https://hub.darcs.net/simon/darcsum
deft	github	jrblevin/deft
fuel	github	factor/factor
llvm-mode	git	https://llvm.org/git/llvm
sml-modeline	bzr	https://code.launchpad.net/~nxhtml/nxhtml/main
tex-smart-umlauts	darcs	https://hub.darcs.net/lyro/tex-smart-umlauts
zeitgeist	git	https://anongit.freedesktop.org/git/zeitgeist/zeitgeist-datasources.git

EIDE has got an HTTPS repository but it's very slow to clone (I gave up after 3MB and ten minutes, vs. a few seconds for raw Git) so they probably don't really intend to serve over it:

Package	fetcher	New URL
eide	git	https://git.tuxfamily.org/eide/emacs-ide.git/

What's left (hoping I caught them all):

Package	fetcher	URL
anything	git	http://repo.or.cz/r/anything-config.git
debian-bug	cvs	:pserver:anonymous@cvs.alioth.debian.org:/cvs/pkg-goodies-el
debian-changelog-mode	cvs	:pserver:anonymous@cvs.alioth.debian.org:/cvs/pkg-goodies-el
howm	git	git://git.osdn.jp/gitroot/howm/howm.git
notmuch	git	git://git.notmuchmail.org/git/notmuch
org-fstree	git	http://repo.or.cz/r/org-fstree.git
org-mac-iCal	git	git://orgmode.org/org-mode.git
org-mac-link	git	git://orgmode.org/org-mode.git
redshank	git	http://www.foldr.org/~michaelw/projects/redshank.git
shimbun	cvs	:pserver:anonymous@cvs.namazu.org:/storage/cvsroot
speechd-el	git	git://git.freebsoft.org/git/speechd-el
stgit	git	git://repo.or.cz/stgit.git
undo-tree	git	http://www.dr-qubit.org/git/undo-tree.git
w3m	cvs	:pserver:anonymous@cvs.namazu.org:/storage/cvsroot

Many of these sites have HTTPS certificates, but not served correctly or expired. orgmode.org uses a self-signed cert. :(

[aplaice]

Thanks for keeping up with this!

freedesktop.org apparently also uses https with the URL https://anongit.freedesktop.org/git/zeitgeist/zeitgeist-datasources.git/ (a diff proves that it's the same git repository), if you want to add it to the pull request (it would probably be convenient for these changes to be committed together, though I could also open a new one).

Edit: Also, deft is now on github: https://github.com/jrblevin/deft (the homepage of the package explicitly refers to this: http://jblevins.org/projects/deft/ ). In the case of fuel, the github mirror is not considered "official", but it is referred to from their site.

[joewreschnig]

The deft alternative looks good. Not sure about fuel - if it's not official that means it's mirrored from the official one somehow. We can be sure we're pulling from GitHub, but have no assurance GitHub pulled from the right site. (That the GH mirror has a non-functioning HTTPS link in its header is also troubling.) I opened an issue to ask about this.

[joewreschnig]

repo.or.cz uses an intentionally bizarre (non-CA root signing something that lasts 10,000 years) SSL certificate, which is also part of their authorization system, so could be very painful for them to change.

If it's absolutely necessary to support these repositories, one option would be to add the ability to pin a root or server cert to the recipe directly. But IMO their security architecture is reckless and should be discouraged.

[aaronjensen]

@tarsius should elpa be using the version at https://github.com/emacsorphanage/undo-tree? It looks like the version on elpa is 0.6.5 and yours is 0.6.6.

[tarsius]

Yes it should, but as the description of my fork says:

This fork exists because I cannot get the two official upstreams (author and elpa) to work together to keep their repositories in sync. Here I apply changes from both and also some patches I have been trying to get merged for years.

I don't really want to deal with this anymore.

I have opened a debbugs issue about this, but nothing has happened. You are welcome to try again to get these changes merged.

[aaronjensen]

Ah, I understand now, thanks. Okay, I'll just point to your fork for now. I can't be bothered to try any harder 😄 Thanks!

[glyph]

Any update on this?

[aplaice]

MELPA itself now only fetches from git and mercurial repositories, and only via https. The main remaining potential issue is that some of these repositories are themselves mirrors, and the mirroring might occur over an unsecured connection.

I think that the only (potentially) affected packages are those from the emacsmirror github organisation. (AFAIK emacsorphanage and emacsattic packages no longer pull updates from their original upstream.) There are 9 recipes which depend on emacsmirror repositories. Inspecting epkg.sqlite in https://github.com/emacsmirror/epkgs for these repositories:

SELECT class,url FROM packages WHERE name in ('"darcsum"','"edit-list"','"po-mode"','"dsvn"','"cg"','"helm-ls-svn"','"quack"','"clang-format"','"tex-smart-umlauts"');

there are 8 which are "file" packages (they're pulled from upstream as a plain file, ignoring whatever VCS, if any, is used upstream) and 1 which is a "subtree" package (their git repo is fetched and they're "extracted" with git subtree). The sources of all the "file" packages are https, while the subtree package is updated over ssh (git@github.com:llvm/llvm-project.git). Since the "file" fetching is done with curl, the certificate error handling (not ignoring invalid certificates) is probably as good as git's or hg's. ssh's TOFU should be OK, since I highly doubt that @tarsius would ignore fingerprint changes... :)

(w3m and shimbun which had previously been fetched with cvs either directly or via emacsmirror are now fetched from their own git repo.)

Overall, I think that the issue is now fixed.

(There's still the problem with the maintenance of undo-tree, but since undo-tree is no longer on MELPA, it's orthogonal to this issue.)

Thanks @glyph for having filed this, in the first place!

[glyph]

Okay: in light of all that, let’s call it done!

[tarsius]

@aplaice summed it up nicely. I agree we are "done". Thanks!

[aplaice]

I feel extremely naggish bringing this up, again, but looking at the recipes directory, it seems that there are now three packages fetched over an unauthenticated transport (http: and git:): elpher, eshell-outline and gemini-mode.

gemini-mode can be trivially switched over to https, so I've done so (see #7221).

Regarding the remaining two, none of the obvious possibilities for fetching them over https seem to work. (The relevant domains do have valid certificates, so in principle it could be possible.)

package	fetch URL	project webpage
eshell-outline	git://jamzattack.xyz/eshell-outline.git	https://git.jamzattack.xyz/eshell-outline/
elpher	git://thelambdalab.xyz/elpher.git	https://thelambdalab.xyz/gitweb/index.cgi?p=elpher.git;a=summary

Should I contact or ping the maintainers?

---

In case somebody comes here without having followed the entire above thread, the issues with fetching via an insecure transport are that:

1. Anybody who can intercept the connection between MELPA's servers and the "upstream" servers could insert malicious code into the package. Depending on the locations of the two servers, this might or might not be a non-negligible issue.

2. Given that AFAICT quelpa (and possibly other similar package managers) re-use MELPA's recipes "database", and given that quelpa works by having the end-user fetch the package directly from upstream, anybody who can MITM the quelpa end-user's connection can send them a malicious package. This could be, say, an ISP or a WiFi network, making the threat profile far greater than in 1. Quelpa users obviously aren't really MELPA's concern, but it'd still be nice not to endanger them needlessly.

Switching to https doesn't solve problems like the upstream server being compromised, the maintainers being coerced, the domain name lapsing and being taken over by an attacker or nation-state actors who have access to the https root certificates, but it does provide some degree of security.

---

(FWIW I came back here accidentally, while trying to find elpher's source code and wondering how MELPA fetches it...)

[tarsius]

Should I contact or ping the maintainers?

Please do.

And I agree we should do something to prevent this from happening again.

Not sure where to do it though, probably package-build.el. (Patches welcome.)

[aplaice]

I'll start with the simplest approach, first.

---

@tgvaughan, @jamzattack I'm sorry for bothering you, but is there a way of fetching the code from your repositories for elpher and eshell-outline, respectively, via https with git? If not, would you consider providing one?

The potential security issues with pulling using an unauthenticated transport are described elsewhere in this thread, for instance here.

Sorry again for taking your time and thanks for writing the interesting packages in the first place!

[tgvaughan]

@aplaice Thanks for getting in touch! This isn't possible with my existing server configuration, but should be possible to set up. I'll have a go at tackling this on the weekend and report back.

[jamzattack]

@aplace @tarsius After an arduous battle with apache conf syntax, I got it working. The repository can now be accessed via `git clone https://git.jamzattack.xyz/eshell-outline`, feel free to update the recipe. Cheers.

[aplaice]

@aplace @tarsius After an arduous battle with apache conf syntax, I got it working. The repository can now be accessed via `git clone https://git.jamzattack.xyz/eshell-outline`, feel free to update the recipe. Cheers.

@jamzattack Thanks very much! It's greatly appreciated!

[tarsius]

@tgvaughan Hey Tim, I ha mr grad for e paar Minute uebrlegt oeps nit langsam mol a dr Zit waer in Basel e Emacstraefe z organisiert. Waersch interessiert?

[tarsius]

Ups do hani doch glad d Pandemi fuer e Momaently vrgaesse, abr wenn den alles vrbi isch...

[tgvaughan]

@aplace Took a bit longer than expected, but the elpher repo should now be accessible via git clone https://thelambdalab.xyz/git/elpher.git. Thus the recipe can be updated. (Do you mind doing this, or shall I prepare a PR?)

@tarsius In principle I'm interested in Basel emacs meetups, but as you say this isn't the best time.. :-( I also only speak English and very very scratchy Hochdeutsch.

[tarsius]

I've just updated the recipe.
I took a note about you being interested in a meetup.

[tgvaughan]

Thanks Jonas!