[aur-general] Securing the AUR website
matej.lach at gmail.com
Thu Sep 1 07:07:08 EDT 2011
On 01/09/11 12:01, Lukas Fleischer wrote:
> On Thu, Sep 01, 2011 at 12:51:24PM +0200, Philipp Überbacher wrote:
>> Excerpts from Lukas Fleischer's message of 2011-09-01 12:32:03 +0200:
>>> On Thu, Sep 01, 2011 at 12:13:53PM +0200, Philipp Überbacher wrote:
>>>> I sadly followed this discussion only remotely when it was ongoing, so I
>>>> have to ask: The agreed upon solution for now is to default to http and
>>>> only allow login from https? At least that's how it is at the moment and
>>>> the http default feels a bit weird to me. When I can only log in with
>>>> https I get the feeling I should use https and wonder why it isn't the
>>>> default. I had a look at other parts of the Arch Linux website as well,
>>>> here's an overview of the defaults:
>>>> archlinux.org -> http -> no login anyway
>>>> bbs.archlinux.org -> https -> separate login page
>>>> wiki.archlinux.org -> https -> separate login page
>>>> bugs.archlinux.org -> https -> login on main page
>>>> aur.archlinux.org -> http -> login on main page
>>>> As you can see, AUR is the fish out of water here, login is on the
>>>> arrival page, but you can't log in by default. I'm sorry to make the
>>>> suggestion this late, but I'd vote for https as default for AUR.
>>> HTTPs is the default - unless you request the HTTP version explicitly. I
>>> know that some of the navigation bar links aren't updated yet. I sent a
>>> patch for Flyspray to Pierre, and also asked him to update the header
>>> include used in our cgit setup. It should be only a matter of time until
>>> all links are up-to-date.
>> When I type aur.archlinux.org in firefox I get the http version, that's
>> what I mean by default. Thanks for your efforts to secure AUR.
> Yeah, you request the HTTP version (your browser does this automatically
> if you skip the protocol part), so this is kind of expected behaviour.
> We could introduce an HTTPs redirect for the AUR home page. Not sure if
> that is the right thing to do, though.
There's an option if firefox that should use https under Advanced >
Encryption tab in Preferences, if I remember that correctly.
More information about the aur-general