aplaice
commented
3 years ago Thanks for updating and merging!
Closed aplaice closed 3 years ago
aplaice
commented
3 years ago Thanks for updating and merging!
tarsius
commented
3 years ago Thanks for you patience :grinning:
(As suggested here.)
This is to prevent https://github.com/melpa/melpa/issues/3004 from coming up again.
I have no idea whether this is the cleanest approach, but it seems to work (allowing building packages that use
https:, but not those that usegit:), so hopefully with feedback it might be massaged into something useful. (That is assuming that making changes inpackage-buildis not deemed to be an overkill for the issue.)hgI have not touched the checkout code for mercurial, since I have very little experience with
hg, and hence I'm not sure which protocols should be allowed. Obviously, the same approach would also work for it.fileandsshprotocolsI've kept the "file" and "ssh" protocols, in addition to the obvious ("https"). I remember specifying a local path in a recipe, for local testing, in the distant past, so I think the
fileprotocol (used implicitly or explicitly) should definitely be kept; anyway, it's not insecure. I'm less sure aboutssh— in principlessh's TOFU provides some security, but probably not in an automated environment (MELPA's servers).In the highly unlikely case that this is ready as-is, merging should presumably wait until the several packages now fetching over
git://andhttp://switch over. Alternatively, these several recipes could be "grandfathered in" via a kludge (checking for the names of these packages).