[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Fri Aug 5 20:18:21 EDT 2011


On Sat, Aug 06, 2011 at 01:16:45AM +0300, Ionut Biru wrote:
> On 08/06/2011 12:54 AM, Lukas Fleischer wrote:
> 
> >>
> >>To prevent session hijacking, mtm attacks or whatnot I'd recommend the
> >>following:
> >>* Redirect all http traffic to https by default
> >
> >We won't do that. HTTPs will be the default but we won't force users to
> >use HTTPs. If you decide to use HTTP intentionally, we won't prevent you
> >from doing so. HTTPs implies an unnecessary overhead and there's no
> >point in forcing everybody to use HTTPs even if one doesn't even have an
> >AUR account.
> >
> 
> That reason is a bit childish. We had this discussion 1 year ago and
> only you and Loui were against.
> 
> Seriously now, why you are against https? Do you use some aur helper
> that is broken and uses http and cannot handle redirect well?

Dude, please stick to the facts. Iirc, I didn't even interfere in the
last HTTPs discussion and I nowhere mentioned being against HTTPs. I am
totally for making HTTPs the default, I'm just against enforcing it. As
you can see, I even committed a few patches replacing all links the AUR
ever spits out by HTTPs ones. Everything else is only a matter of server
configuration and I am against disabling plain HTTP here.

Is there any *real* reason to do that? Even archweb doesn't do that and
I don't understand the concerns here. Every half-attentive should be
perfectly fine with how we do it in current master. And in case you're
really, really paranoid, just setup a proxy that blocks HTTP connections
to the AUR.

Oh, and by the way. I don't use any AUR helper at all. Just to say that.


More information about the aur-general mailing list