Package: emacs24 Version: 24.5+1-1 Severity: normal Tags: patch emacs currently uses http://elpa.gnu.org as the default built-in package repository.
Fortunately, that server already works over HTTPS too, so my patch simply changes the default config to use an HTTPS URL for this. I will submit this change upstream too, but it would be great if Debian users could be protected before emacs25. Francois
>From 8b194e2ce9850c40f75d8a79aa6fc952971710b7 Mon Sep 17 00:00:00 2001 From: Francois Marier <franc...@debian.org> Date: Sun, 30 Aug 2015 11:31:21 -0700 Subject: Use HTTPS when talking to elpa.gnu.org diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el index 7c4f21f..445af4e 100644 --- a/lisp/emacs-lisp/package.el +++ b/lisp/emacs-lisp/package.el @@ -204,7 +204,7 @@ If VERSION is nil, the package is not loaded (it is \"disabled\")." :risky t :version "24.1") -(defcustom package-archives '(("gnu" . "http://elpa.gnu.org/packages/")) +(defcustom package-archives '(("gnu" . "https://elpa.gnu.org/packages/")) "An alist of archives from which to fetch. The default value points to the GNU Emacs package repository. -- 2.5.1