Am 03.07.2012 12:51, schrieb Karol Babioch: > Hi, > > Am 03.07.2012 10:28, schrieb Thomas Bächler: >> The bbs and bug tracker are https-only. If you would go to the http >> link, you would be redirected to https. A user cannot login on the main >> website or send any sensitive information to it, so there is no need to >> force it to https. > > Personally, I'm a big fan of HTTPS, even for seemingly uncritical > things. Remember: HTTPS not only makes sure the channel is encrypted, > but a key point of the whole PKI infrastructure is to make sure it is > the right person/site/party to whom you are talking to. Otherwise you > wouldn't need a certificate signed by a known CA. Furthermore it is > always conceivable that some man-in-the-middle replaces the download > links (along with the hashes) and/or something like that. As you've got > a valid certificate obviously, I don't see a reason why not make use of it. Those are all valid concerns. I don't know why this particular URL was chosen. I guess nobody has put nearly as much thought into this as you did. > Taking Fedora as an example they have their HOME_URL set to the HTTPS > version here. When you got HTTPS Everywhere [1] installed, you only get > to see the HTTPS version of fedoraproject.org. For Arch Linux, although > part of the database of HTTPS Everywhere, this isn't the case. I can't > see any disadvantage to propose the use of HTTPS strongly, especially > because you've already got valid certificates. <ruleset name="Arch Linux"> <target host="archlinux.org"/> <target host="*.archlinux.org"/> <rule from="^http://archlinux\.org/"; to="https://www.archlinux.org/"/> <rule from="^http://([^/:@\.]+)\.archlinux\.org/" to="https://$1.archlinux.org/"/> </ruleset> I always get https by default here. >> Not a bad idea at all. As always, you can send a patch against >> https://projects.archlinux.org/archweb.git/ to include that landing page >> or submit a bug to the "Web Sites" category via >> https://bugs.archlinux.org/newtask/proj1. > I've filed a feature request (#30518). Unfortunately I'm not familiar > with Django, so there is no way I could add this in a reasonable amount > of time. However it shouldn't take too long for someone who knows what > he is doing. Thanks.
Attachment:
signature.asc
Description: OpenPGP digital signature
