[aur-general] aur website default ssl

[Justin Davis]

On Tue, Oct 26, 2010 at 1:50 PM, Ionuț Bîru <ibiru at archlinux.org> wrote:
> Hi,
>
> we are now using default https for aur.archlinux.org. Some aur helpers may
> need adjustment, others like cower/slurpy already works as expected.
>
> Kudos for their maintainers for following the aur development

Hi I maintain clyde lately. I try to keep it working anyways. This
mandatory switch to https breaks clyde's AUR support. Clyde's AUR
support is the only reason to use it, really... it is an AUR helper
after all. Forcing all traffic to https is not what I would call
"default". Default would be cool but generally a default option is not
the _only_ option.

I hadn't joined aur-dev. I am assuming the switch was announced there.
I already am a part of this mailing list and most of what I receive
from it is junk to me. I also joined the pacdev mailing list long ago
but filtered that because it fills my mailbox with stuff I don't care
about. All I care about are API changes to libalpm, really, and I
usually just diff the sources to find them.

Out of curiosity I looked at slurpy on github and it hasn't been
updated since July. Cower was updated 4 days ago. If an AUR helper
uses a sufficiently high-level interface they won't need to update
because they get forwarded to the HTTPS URI. Everything is
automagically fixed for them. Clyde is probably the only AUR helper to
suffer from this because of its low-level Luasocket library. Maybe
paktahn as well. Kudos to falconindy at least for updating cower to
use https by default.

I'm glad that logins to the AUR are now encrypted. Previously they
weren't which is always surprising to find out. Other than logins I
could care less if my traffic is sniffed. I know the logic is easier
to just switch _everything_ to HTTPS but could maybe we just use https
for logins? Could you allow HTTPS to be optional (except for logins)
and then give validity to the term "default"?

-- 
-Justin