Hi, Am 03.07.2012 10:28, schrieb Thomas Bächler:
The bbs and bug tracker are https-only. If you would go to the http link, you would be redirected to https. A user cannot login on the main website or send any sensitive information to it, so there is no need to force it to https.
Personally, I'm a big fan of HTTPS, even for seemingly uncritical things. Remember: HTTPS not only makes sure the channel is encrypted, but a key point of the whole PKI infrastructure is to make sure it is the right person/site/party to whom you are talking to. Otherwise you wouldn't need a certificate signed by a known CA. Furthermore it is always conceivable that some man-in-the-middle replaces the download links (along with the hashes) and/or something like that. As you've got a valid certificate obviously, I don't see a reason why not make use of it. Taking Fedora as an example they have their HOME_URL set to the HTTPS version here. When you got HTTPS Everywhere [1] installed, you only get to see the HTTPS version of fedoraproject.org. For Arch Linux, although part of the database of HTTPS Everywhere, this isn't the case. I can't see any disadvantage to propose the use of HTTPS strongly, especially because you've already got valid certificates.
Arch Linux is a community-supported OS, and the bbs is appropriate as a support URL.
By now means I wanted to depreciate the forums. I just wanted to make the point that there are more ways to ask for help and that we should advertise them also.
Not a bad idea at all. As always, you can send a patch against https://projects.archlinux.org/archweb.git/ to include that landing page or submit a bug to the "Web Sites" category via https://bugs.archlinux.org/newtask/proj1. I've filed a feature request (#30518). Unfortunately I'm not familiar with Django, so there is no way I could add this in a reasonable amount of time. However it shouldn't take too long for someone who knows what he is doing.
Best regards, Karol Babioch [1] https://www.eff.org/https-everywhere/