[aur-general] Securing the AUR website

rafael ff1 rafael.f.f1 at gmail.com
Thu Sep 1 18:57:51 EDT 2011


2011/9/1 Philipp Überbacher <hollunder at lavabit.com>:
> Excerpts from Gordon JC Pearce's message of 2011-09-01 20:15:28 +0200:
>> On Thu, 01 Sep 2011 17:55:57 +0200
>> Philipp Überbacher <hollunder at lavabit.com> wrote:
>>
>> > Do I understand it correctly that https-everywhere goes through a lot of
>> > trouble (browser-plugin with whitelist and custom rules for every page)
>> > for what could be achieved by simply defaulting to https?
>>
>> I don't really understand why it's so important to break existing links by forcing everyone onto the https page.
>>
>> What happens if you *don't want to use https*?  Why are the Arch webby bods forcing this nanny-state twatmuppetry down our throats?
>
> It shouldn't be enforced, it should be the default. But you're right, it
> seems it is enforced in some cases, with the redirect on
> bugs.archlinux.org for example. In this case the login is on the main
> page, which is probably the reason for the redirect. It's really
> somewhat confusing, in the meantime I start to think that optimally both
> would be available and the browser settings should be the place to
> decide (in general).
>
>

I normally look for AUR packages in my google search engine, in case
I'm not already in AUR interface. Since https is the default login,
google search find the http interface.
That's not much bad, but if I want to login after that, I can't just
mouse-click the new "http login disabled" message.
IMHO, it would be nice to have a URL in front of this warning that
forwards to https in the same page you are at the moment, instead of
going to AUR Home. Example:
http://aur.archlinux.org/packages.php?ID=41362 # goes to
https://aur.archlinux.org/packages.php?ID=41362

-- Rafael


More information about the aur-general mailing list