On Thu, Oct 30, 2014 at 4:34 AM, Holger Wansing wrote: > shouldn't that be https instead nowadays?
Yes. I've attached a patch for debwww/cron.git that prevents people from committing pages containing new http: links for sites that should use https: and prevents people from committing pages containing https: links to sites that should use http: due to lack of https support or self-signed or SPI-signed or CACert-signed certificates. Once it is added to the repository and the checkout on alioth is updated, the webwml CVSROOT can be updated to call this script in the appropriate place. -- bye, pabs https://wiki.debian.org/PaulWise
From 974fe2ab1324d32a7d16615a4b74b6e9de949a2a Mon Sep 17 00:00:00 2001 From: Paul Wise <p...@debian.org> Date: Thu, 8 May 2014 13:45:19 +0800 Subject: [PATCH] Add some handling of Debian/DebConf/SPI SSL links --- scripts/ssl_links | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100755 scripts/ssl_links diff --git a/scripts/ssl_links b/scripts/ssl_links new file mode 100755 index 0000000..ebcb8d2 --- /dev/null +++ b/scripts/ssl_links @@ -0,0 +1,130 @@ +#!/bin/sh +set -e +ret=0 +nl=' +' +alioth_ssl_sites=$(cat <<'END' +alioth.debian.org +arch.debian.org +bzr.debian.org +cvs.debian.org +darcs.debian.org +git.debian.org +hg.debian.org +svn.debian.org +END +) +alioth_ssl_regexes=$(cat <<'END' +http://[-0-9a-zA-Z]\+\.alioth\.debian\.org +END +) +# List from https://anonscm.debian.org/gitweb/?p=mirror/dsa-puppet.git;a=tree;f=modules/ssl/files/servicecerts +dsa_ssl_sites=$(cat <<'END' +bits.debian.org +bugs-master.debian.org +bugs.debian.org +buildd.debian-ports.org +buildd.debian.org +contributors.debian.org +db.debian.org +dsa.debian.org +ftp-master.debian.org +lintian.debian.org +lists.debian.org +munin.debian.org +nagios.debian.org +nm.debian.org +openstack.bm.debian.org +packages.debian.org +packages.qa.debian.org +people.debian.org +piuparts.debian.org +puppet-dashboard.debian.org +qa.debian.org +release.debian.org +rt.debian.org +rtc.debian.org +security-master.debian.org +security-tracker.debian.org +sip-ws.debian.org +sso.debian.org +tracker.debian.org +udd.debian.org +vote.debian.org +wiki.debian.org +www.debian.org +END +) +debconf_ssl_sites=$(cat <<'END' +summit.debconf.org +END +) +spi_ssl_sites=$(cat <<'END' +END +) +nossl_sites=$(cat <<'END' +gobby.debian.org +nossl.people.debian.org +popcon.debian.org +search.debian.org +END +) +nossl_regexes=$(cat <<'END' +https://debconf[0-9]\+\.debconf\.org/ +https://penta\.debconf\.org/dc[0-9]\+_schedule +END +) + +for site in $alioth_ssl_sites $dsa_ssl_sites $debconf_ssl_sites $spi_ssl_sites +do + if grep -qF "http://$site"; "$@" 2>/dev/null ; then + bad_ssl_urls="$bad_ssl_urls${nl}http://$site"; + fi +done + +for regex in $alioth_ssl_regexes $dsa_ssl_regexes $debconf_ssl_regexes +do + urls="$(grep -oh "$regex" "$@" 2>/dev/null | sort -u)" + if [ "x$urls" != x ] ; then + bad_ssl_urls="$bad_ssl_urls${nl}$urls" + fi +done + +for site in $nossl_sites +do + if grep -qF "https://$site"; "$@" 2>/dev/null ; then + bad_nossl_urls="$bad_nossl_urls${nl}https://$site"; + fi +done + +for regex in $nossl_regexes +do + urls="$(grep -oh "$regex" "$@" 2>/dev/null | sort -u)" + if [ "x$urls" != x ] ; then + bad_nossl_urls="$bad_nossl_urls${nl}$urls" + fi +done + +if [ "x$bad_ssl_urls" != x ] ; then + cat <<EOF +Commit contains these http: URLs, please change them to https: +so that users visiting them are protected by SSL. +$bad_ssl_urls +EOF + ret=1 +fi + +if [ "x$bad_nossl_urls" != x ] ; then + cat <<EOF +Commit contains these https: URLs, please change them to http: +Some Debian/DebConf/SPI/etc websites do not have HTTPS support or are +only signed by SPI and not by any SSL CA that is trusted by browsers +outside of Debian, we should avoid linking to https: versions of +these websites so that people not using Debian don't get errors +they may not understand. +$bad_nossl_urls +EOF + ret=1 +fi + +exit $ret -- 2.1.1
