[aur-general] Securing the AUR website

Ionut Biru ibiru at archlinux.org
Fri Aug 5 18:16:45 EDT 2011


On 08/06/2011 12:54 AM, Lukas Fleischer wrote:

>>
>> To prevent session hijacking, mtm attacks or whatnot I'd recommend the
>> following:
>> * Redirect all http traffic to https by default
>
> We won't do that. HTTPs will be the default but we won't force users to
> use HTTPs. If you decide to use HTTP intentionally, we won't prevent you
> from doing so. HTTPs implies an unnecessary overhead and there's no
> point in forcing everybody to use HTTPs even if one doesn't even have an
> AUR account.
>

That reason is a bit childish. We had this discussion 1 year ago and 
only you and Loui were against.

Seriously now, why you are against https? Do you use some aur helper 
that is broken and uses http and cannot handle redirect well?


-- 
Ionuț


More information about the aur-general mailing list