melpa / package-build

Tools for assembling a package archive
https://github.com/melpa/melpa
25 stars 34 forks source link

Prevent fetching from git using an insecure protocol #42

Closed aplaice closed 3 years ago

aplaice commented 4 years ago

(As suggested here.)

This is to prevent https://github.com/melpa/melpa/issues/3004 from coming up again.

I have no idea whether this is the cleanest approach, but it seems to work (allowing building packages that use https:, but not those that use git:), so hopefully with feedback it might be massaged into something useful. (That is assuming that making changes in package-build is not deemed to be an overkill for the issue.)

hg

I have not touched the checkout code for mercurial, since I have very little experience with hg, and hence I'm not sure which protocols should be allowed. Obviously, the same approach would also work for it.

file and ssh protocols

I've kept the "file" and "ssh" protocols, in addition to the obvious ("https"). I remember specifying a local path in a recipe, for local testing, in the distant past, so I think the file protocol (used implicitly or explicitly) should definitely be kept; anyway, it's not insecure. I'm less sure about ssh — in principle ssh's TOFU provides some security, but probably not in an automated environment (MELPA's servers).


In the highly unlikely case that this is ready as-is, merging should presumably wait until the several packages now fetching over git:// and http:// switch over. Alternatively, these several recipes could be "grandfathered in" via a kludge (checking for the names of these packages).

aplaice commented 3 years ago

Thanks for updating and merging!

tarsius commented 3 years ago

Thanks for you patience :grinning: