[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Thu Sep 1 07:01:50 EDT 2011


On Thu, Sep 01, 2011 at 12:51:24PM +0200, Philipp Überbacher wrote:
> Excerpts from Lukas Fleischer's message of 2011-09-01 12:32:03 +0200:
> > On Thu, Sep 01, 2011 at 12:13:53PM +0200, Philipp Überbacher wrote:
> [...]
> > > I sadly followed this discussion only remotely when it was ongoing, so I
> > > have to ask: The agreed upon solution for now is to default to http and
> > > only allow login from https? At least that's how it is at the moment and
> > > the http default feels a bit weird to me. When I can only log in with
> > > https I get the feeling I should use https and wonder why it isn't the
> > > default. I had a look at other parts of the Arch Linux website as well,
> > > here's an overview of the defaults:
> > > 
> > > archlinux.org       -> http     -> no login anyway
> > > bbs.archlinux.org   -> https    -> separate login page
> > > wiki.archlinux.org  -> https    -> separate login page
> > > bugs.archlinux.org  -> https    -> login on main page
> > > aur.archlinux.org   -> http     -> login on main page
> > > 
> > > As you can see, AUR is the fish out of water here, login is on the
> > > arrival page, but you can't log in by default. I'm sorry to make the
> > > suggestion this late, but I'd vote for https as default for AUR.
> > 
> > HTTPs is the default - unless you request the HTTP version explicitly. I
> > know that some of the navigation bar links aren't updated yet. I sent a
> > patch for Flyspray to Pierre, and also asked him to update the header
> > include used in our cgit setup. It should be only a matter of time until
> > all links are up-to-date.
> 
> When I type aur.archlinux.org in firefox I get the http version, that's
> what I mean by default. Thanks for your efforts to secure AUR.

Yeah, you request the HTTP version (your browser does this automatically
if you skip the protocol part), so this is kind of expected behaviour.
We could introduce an HTTPs redirect for the AUR home page. Not sure if
that is the right thing to do, though.


More information about the aur-general mailing list