[aur-general] Securing the AUR website

Philipp Überbacher hollunder at lavabit.com
Thu Sep 1 14:44:23 EDT 2011


Excerpts from Gordon JC Pearce's message of 2011-09-01 20:15:28 +0200:
> On Thu, 01 Sep 2011 17:55:57 +0200
> Philipp Überbacher <hollunder at lavabit.com> wrote:
> 
> > Do I understand it correctly that https-everywhere goes through a lot of
> > trouble (browser-plugin with whitelist and custom rules for every page)
> > for what could be achieved by simply defaulting to https?
> 
> I don't really understand why it's so important to break existing links by forcing everyone onto the https page.
> 
> What happens if you *don't want to use https*?  Why are the Arch webby bods forcing this nanny-state twatmuppetry down our throats?

It shouldn't be enforced, it should be the default. But you're right, it
seems it is enforced in some cases, with the redirect on
bugs.archlinux.org for example. In this case the login is on the main
page, which is probably the reason for the redirect. It's really
somewhat confusing, in the meantime I start to think that optimally both
would be available and the browser settings should be the place to
decide (in general).



More information about the aur-general mailing list