[OS X Emacs] Verifying Aquamacs

David Reitter david.reitter at gmail.com
Sat Apr 25 05:18:42 EDT 2020 

>
> The simpler solution (going forward) is to change the update URL going
> forward to be something like update.aquamacs.org, and make the update
> check via HTTP.



> FWIW, this is a little confusing because I’m not sure why it would be any
> easier to remotely change the URL being checked for update than it would be
> to remotely update the certificate being trusted. If the update mechanism
> isn’t working, _any_ client-side change to fix it would seem to need a
> manual download to get started.


Yes, that's what I meant when I wrote "going forward", and said that a
solution is needed to not enforce HTTPS on requests to currentversion.cgi.
On the client-side, it is easy to change that URL, but of course people
would have to update Aquamacs to get it.

On Fri, Apr 24, 2020 at 4:16 PM John Wroclawski <jtw at csail.mit.edu> wrote:

> Hi David,
>
> On Apr 24, 2020, at 4:00 PM, David Reitter <david.reitter at gmail.com>
> wrote:
>
> You forget that there are some 100,000 copies of Aquamacs sitting on
> people's computers.  You can't remotely update which certificates are
> trusted.
>
>
> The simpler solution (going forward) is to change the update URL going
> forward to be something like update.aquamacs.org, and make the update
> check via HTTP.
>
>
> FWIW, this is a little confusing because I’m not sure why it would be any
> easier to remotely change the URL being checked for update than it would be
> to remotely update the certificate being trusted. If the update mechanism
> isn’t working, _any_ client-side change to fix it would seem to need a
> manual download to get started.
>
> (But, having said that, I do agree that the simplest short-term thing to
> do is almost surely to change the website so that the (current) update URL
> is loaded via HTTP..)
>
> (But, having said _that_, I do also recognize that many people would
> prefer to see it be HTTPS in the end notwithstanding the code-signing, so
> maybe sometime there'll be motivation to wire the whole thing into macOS
> certificate validation so it’ll all “just work” going forward..)
>
> Cheers, -John
>
>
> _____________________________________________________________
> MacOSX-Emacs mailing list
> MacOSX-Emacs at email.esm.psu.edu
> https://email.esm.psu.edu/mailman/listinfo/macosx-emacs
> List Archives: http://dir.gmane.org/gmane.emacs.macintosh.osx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://email.esm.psu.edu/pipermail/macosx-emacs/attachments/20200425/aeedc06d/attachment.htm>

More information about the MacOSX-Emacs mailing list