[arch-general] /etc/os-release: Suggestions for improvements

Karol Babioch karol at babioch.de
Tue Jul 3 06:51:28 EDT 2012


Am 03.07.2012 10:28, schrieb Thomas Bächler:
> The bbs and bug tracker are https-only. If you would go to the http
> link, you would be redirected to https. A user cannot login on the main
> website or send any sensitive information to it, so there is no need to
> force it to https.

Personally, I'm a big fan of HTTPS, even for seemingly uncritical
things. Remember: HTTPS not only makes sure the channel is encrypted,
but a key point of the whole PKI infrastructure is to make sure it is
the right person/site/party to whom you are talking to. Otherwise you
wouldn't need a certificate signed by a known CA. Furthermore it is
always conceivable that some man-in-the-middle replaces the download
links (along with the hashes) and/or something like that. As you've got
a valid certificate obviously, I don't see a reason why not make use of it.

Taking Fedora as an example they have their HOME_URL set to the HTTPS
version here. When you got HTTPS Everywhere [1] installed, you only get
to see the HTTPS version of fedoraproject.org. For Arch Linux, although
part of the database of HTTPS Everywhere, this isn't the case. I can't
see any disadvantage to propose the use of HTTPS strongly, especially
because you've already got valid certificates.

> Arch Linux is a community-supported OS, and the bbs is appropriate as a
> support URL.

By now means I wanted to depreciate the forums. I just wanted to make
the point that there are more ways to ask for help and that we should
advertise them also.

> Not a bad idea at all. As always, you can send a patch against
> https://projects.archlinux.org/archweb.git/ to include that landing page
> or submit a bug to the "Web Sites" category via
> https://bugs.archlinux.org/newtask/proj1.
I've filed a feature request (#30518). Unfortunately I'm not familiar
with Django, so there is no way I could add this in a reasonable amount
of time. However it shouldn't take too long for someone who knows what
he is doing.

Best regards,
Karol Babioch

[1] https://www.eff.org/https-everywhere/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20120703/ba1a4cb3/attachment.asc>

More information about the arch-general mailing list