Ionut, This is a ridiculous claim. Maybe we should tell that to amazon, newegg, and oh I don't know... 99% of websites on the planet? Most sites use https only for logins and transactions. Publicly available information like aur comments, aur packages, images, etc don't really need encryption. Just about everything sent to/from the AUR is not sensitive information. Except login passwords. I would be pissed off if amazon had the same point of view. What if amazon decided that their https for logins and credit cards was the same as not having it at all and removed it?
Simply using https for all connections is the easiest and best solution imho. Everything in between is either insecure or inconvenient for the users. And I also don't see the need for it. Every sane http client should handle a http redirect and https. If it does not it's just a bug in the client. Of course it is unfortunate that this wasn't tested by the clyde author before.
Pierre, How is sending publicly available information unencrypted insecure? It does not warrant a need for additional security in the first place. If someone wants to see what comments you post on a package they go look at the package's page. They don't have to sniff your traffic. I am secure in my AUR traffic's triviality.
How is https for logins inconvenient for users? Forwarding between http and https happens transparently on every major website. Most people wouldn't know it was happening if it wasn't for the padlock graphic. Many still don't.
True story; and a lot of server resources would be saved by not having to encrypt information that doesn't need to be encrypted. -- Kiwis and Limes: http://kaitocracy.blogspot.com/