[aur-general] aur website default ssl
Ionuț Bîru
ibiru at archlinux.org
Wed Oct 27 04:40:19 EDT 2010
On 10/27/2010 05:49 AM, Justin Davis wrote:
> On Tue, Oct 26, 2010 at 1:50 PM, Ionuț Bîru<ibiru at archlinux.org> wrote:
>> Hi,
>>
>> we are now using default https for aur.archlinux.org. Some aur helpers may
>> need adjustment, others like cower/slurpy already works as expected.
>>
>> Kudos for their maintainers for following the aur development
>
> Hi I maintain clyde lately. I try to keep it working anyways. This
> mandatory switch to https breaks clyde's AUR support. Clyde's AUR
> support is the only reason to use it, really... it is an AUR helper
> after all. Forcing all traffic to https is not what I would call
> "default". Default would be cool but generally a default option is not
> the _only_ option.
>
Hi, i didn't know that there is another maintainer and i announced
personally Digitalkiwi, for more than one month(i believe), that we are
switching. He said that is working and it shouldn't be a problem.
> I hadn't joined aur-dev. I am assuming the switch was announced there.
> I already am a part of this mailing list and most of what I receive
> from it is junk to me. I also joined the pacdev mailing list long ago
> but filtered that because it fills my mailbox with stuff I don't care
> about. All I care about are API changes to libalpm, really, and I
> usually just diff the sources to find them.
>
This switch was mostly discuss it in bugtracker
> Out of curiosity I looked at slurpy on github and it hasn't been
> updated since July. Cower was updated 4 days ago. If an AUR helper
> uses a sufficiently high-level interface they won't need to update
> because they get forwarded to the HTTPS URI. Everything is
> automagically fixed for them. Clyde is probably the only AUR helper to
> suffer from this because of its low-level Luasocket library. Maybe
> paktahn as well. Kudos to falconindy at least for updating cower to
> use https by default.
>
That was mostly a rant by me side and is should be ignored :P
> I'm glad that logins to the AUR are now encrypted. Previously they
> weren't which is always surprising to find out. Other than logins I
> could care less if my traffic is sniffed. I know the logic is easier
> to just switch _everything_ to HTTPS but could maybe we just use https
> for logins? Could you allow HTTPS to be optional (except for logins)
> and then give validity to the term "default"?
>
As i said earlier in a reply to Loui, maybe we can do it better.Having
https only for login and then redirecting to http is like not having it
at all.
--
Ionuț
More information about the aur-general
mailing list