2014-07-15 21:39 GMT+02:00 Philipp Kern <pk...@debian.org>: > On 2014-07-15 16:00, Thorsten Glaser wrote: >>> >>> Martin Zobel-Helas dixit: >>>> >>>> Furthermore, we will change the people.debian.org web-service such that >>>> only HTTPS connections will be supported (unencrypted requests will be >>>> redirected). >> >> […] >>> >>> Take it as a heads-up to maybe move stuff elsewhere, if it needs http >>> (e.g. APT repos work well via http since they use PGP for signatures). >> >> Actually, this will break most DDs’ APT repositories because >> apt-transport-https is usually not installed. > > > Pointing machines to a non-mirrored SPoF running on donated project > resources was bound to be not such a great idea anyway. Which place would be better for hosting DD's APT repositories? I had the impression that p.d.o were the usual place for them and it served quite well. I would also be interested in keeping plain HTTP to not break repositories (including mine :-)).
Somehow Steve's question regarding the rationale behind disabling HTTP got cut out from email responses so let me raise it again: Why is it important to disable HTTP? Could it be kept enabled for APT repositories following some special directory structure like http://p.d.o/~user/ppa/* ? 2014-07-14 0:19 GMT+02:00 Steve Langasek <vor...@debian.org>: > Hi Martin, > > On Sun, Jul 13, 2014 at 10:13:10PM +0200, Martin Zobel-Helas wrote: >> Furthermore, we will change the people.debian.org web-service such that >> only HTTPS connections will be supported (unencrypted requests will be >> redirected). > > Could you elaborate on why people.d.o will enforce https? If http > connections are still allowed, this doesn't provide any protection from a > MITM attack for most users; and the contents of people.d.o are not generally > security sensitive. Is this part of a broader effort by DSA to increase use > of https by default as a deterrent to large-scale traffic sniffing? > Cheers, Balint -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cak0odpymbo7gmge3khx08wtfu3bqz+just3tzvnj58ztq0a...@mail.gmail.com
