[aur-general] Securing the AUR website

Gordon JC Pearce gordonjcp at gjcp.net
Sat Sep 3 11:49:21 EDT 2011

On Sat, 03 Sep 2011 15:49:30 +0100
Matej Ľach <matej.lach at gmail.com> wrote:

> On 03/09/11 14:55, Gordon JC Pearce wrote:
> > On Sat, 3 Sep 2011 01:18:58 -0300
> > rafael ff1<rafael.f.f1 at gmail.com>  wrote:
> >
> >> 's' stands for Secure. Maybe security is a good reason.
> >>
> > Oh, okay, so you put an "S" in and it waves the magic "secure" stick.  Very good.
> >
> > What happens if you're using a password you don't care about for AUR?
> >
> If you are using such password then you are putting AUR at risk because 
> if your password can be easily cracked there is a possibility that an 

I didn't say it could be "easily cracked".  I said it's a password that I don't particularly care if I run up against the tiny, vanishingly small chance that anyone is bored enough to somehow tap into my LAN and sniff it.

> attacker would be able to compromise the whole AUR service using your 

> Is there any particular problem why you can't/don't want to use HTTPS?
> If yes, we may be able to help you...

One is that https is painfully slow over slow or unreliable connections (GPRS springs to mind; 3G service is patchy here).
The other is that switching to https has left AUR in a fundamentally broken state.  If you search for a package on AUR with any of the significant search engines, they return an http link.  You can't do anything with this, though, because *even if you're logged in* you get the "ZOMG OH NOES YOU AREN'T USING HTTPS AND HTTPS IS TEH AWSUM!!!!11!!11!" message.
Now, if clicking on that took you *to the same page but with https* that would be fine, but it doesn't.  It unceremoniously dumps you on the index page for AUR, with no way to get back to the package that you googled.

So, the only way to use AUR from (say) Google is to search for a package, click on it, copy the address from the bar, click on the https login link, log in (since even if you're logged in, visiting the http page seems to log you out), then paste the address you got from the search engine into the address bar, edit it to go to https, then hit return.  This is hardly a seamless user experience, but it ought to be trivial to fix.

Sort it the fuck out.

If you want me to put my money where my mouth is and contribute some code, then just ask.

Gordon JC Pearce MM0YEQ <gordonjcp at gjcp.net>

More information about the aur-general mailing list