On Sat, Aug 06, 2011 at 01:16:45AM +0300, Ionut Biru wrote:
On 08/06/2011 12:54 AM, Lukas Fleischer wrote:
To prevent session hijacking, mtm attacks or whatnot I'd recommend the following: * Redirect all http traffic to https by default
We won't do that. HTTPs will be the default but we won't force users to use HTTPs. If you decide to use HTTP intentionally, we won't prevent you from doing so. HTTPs implies an unnecessary overhead and there's no point in forcing everybody to use HTTPs even if one doesn't even have an AUR account.
That reason is a bit childish. We had this discussion 1 year ago and only you and Loui were against.
Seriously now, why you are against https? Do you use some aur helper that is broken and uses http and cannot handle redirect well?
Dude, please stick to the facts. Iirc, I didn't even interfere in the last HTTPs discussion and I nowhere mentioned being against HTTPs. I am totally for making HTTPs the default, I'm just against enforcing it. As you can see, I even committed a few patches replacing all links the AUR ever spits out by HTTPs ones. Everything else is only a matter of server configuration and I am against disabling plain HTTP here. Is there any *real* reason to do that? Even archweb doesn't do that and I don't understand the concerns here. Every half-attentive should be perfectly fine with how we do it in current master. And in case you're really, really paranoid, just setup a proxy that blocks HTTP connections to the AUR. Oh, and by the way. I don't use any AUR helper at all. Just to say that.