stop pulling unauthenticated upstreams #3005
Conversation
|
This addresses #3004 . |
|
This is obviously quite a large PR with a lot of changes; I'm not sure it can land as-is (certainly not until I can figure out what's wrong with the CI). I hope it can serve as a useful starting point for a discussion about what needs to change to avoid the possibility of trivial compromise via malware being injected on the wiki, or into a connection to a CVS repository. |
|
hey, this is still on my radar. I really like the idea, think we need to consider how to get it merged in soon. just letting you know it's not being ignored. |
|
@milkypostman - thanks for the update. I am glad that this is on your mind :). |
Refs: - melpa#2342 - melpa#3004 - melpa#3005
Refs: - melpa#2342 - melpa#3004 - melpa#3005
Refs: - melpa#2342 - melpa#3004 - melpa#3005
|
What in this pull request is still relevant and what is not? @glyph, I think you would have a better chance of getting at least some of this merged if you split it up into multiple branches (but I would recommend against opening more than one or two new pull requests initially). For example, I don't think emacswiki support is going to be dropped any time soon, but the various http => https changes would likely be accepted without much discussion. In any case, rebasing would help. |
|
@tarsius I always thought it was unlikely that this could be merged as-is :). I'll try to start splitting this up as I have time. |
|
I am closing this then as there also is #3004. |
|
👍 |
This will undoubtedly break many of these projects, but that's the point. HTTPS is literally free, anyone can have it, it takes only a few minutes to set up, and while you wait you can use free HTTPS-enabled hosts like Github.