[aur-general] Securing the AUR website
Thomas Bächler
thomas at archlinux.org
Thu Sep 1 08:16:20 EDT 2011
Am 01.09.2011 13:01, schrieb Lukas Fleischer:
>>>> archlinux.org -> http -> no login anyway
>>>> bbs.archlinux.org -> https -> separate login page
>>>> wiki.archlinux.org -> https -> separate login page
>>>> bugs.archlinux.org -> https -> login on main page
>>>> aur.archlinux.org -> http -> login on main page
>>>>
>>>> As you can see, AUR is the fish out of water here, login is on the
>>>> arrival page, but you can't log in by default. I'm sorry to make the
>>>> suggestion this late, but I'd vote for https as default for AUR.
>>>
>>> HTTPs is the default - unless you request the HTTP version explicitly. I
>>> know that some of the navigation bar links aren't updated yet. I sent a
>>> patch for Flyspray to Pierre, and also asked him to update the header
>>> include used in our cgit setup. It should be only a matter of time until
>>> all links are up-to-date.
>>
>> When I type aur.archlinux.org in firefox I get the http version, that's
>> what I mean by default. Thanks for your efforts to secure AUR.
>
> Yeah, you request the HTTP version (your browser does this automatically
> if you skip the protocol part), so this is kind of expected behaviour.
> We could introduce an HTTPs redirect for the AUR home page. Not sure if
> that is the right thing to do, though.
I'd like to remind everyone again that Arch Linux is now included in the
https-everywhere default rules, see [1]. This will always redirect you
to https on every Arch Linux site (even releng, www, planet, where it
isn't actually needed).
[1] https://www.eff.org/https-everywhere/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20110901/35e478d7/attachment.asc>
More information about the aur-general
mailing list