Hello all, It does not appear to be possible to obtain the Git repository for Org via HTTPS or SSH, only via HTTP. I have checked the manual and searched the Internet to see if there is a way, but no luck. I only found an unanswered inquiry from earlier this year [1].
—Why is HTTPS/SSH necessary when Org releases are signed with GPG? Well, only releases are signed. If you want to clone the development version of Org, there appears to be no way to verify that it has not been tampered with, since the clone was using an insecure protocol. —Why do I care about this? I maintain the package manager straight.el [2], which installs packages by cloning their Git repositories. By default, the development version of a package is installed. It would be irresponsible to install packages via HTTP, so straight.el is forced to install Org from the EmacsMirror [3] instead. This makes me uncomfortable, since I would prefer to install packages from their authoritative upstream sources—this makes contributing back to those packages easier. Have I missed something? Is it already possible to obtain Org securely? If not, is making that possible a current goal of the project? If not, what is the difficulty and can I help? Best regards, Radon Rosborough [1]: http://lists.gnu.org/archive/html/emacs-orgmode/2017-03/msg00335.html [2]: https://github.com/raxod502/straight.el [3]: https://github.com/emacsmirror/org
