Re: CVS webwml/english/News/2014: http -> https ?
On Thu, Oct 30, 2014 at 4:34 AM, Holger Wansing wrote:
> shouldn't that be https instead nowadays?
Yes. I've attached a patch for debwww/cron.git that prevents people
from committing pages containing new http: links for sites that should
use https: and prevents people from committing pages containing https:
links to sites that should use http: due to lack of https support or
self-signed or SPI-signed or CACert-signed certificates. Once it is
added to the repository and the checkout on alioth is updated, the
webwml CVSROOT can be updated to call this script in the appropriate
place.
--
bye,
pabs
https://wiki.debian.org/PaulWise
From 974fe2ab1324d32a7d16615a4b74b6e9de949a2a Mon Sep 17 00:00:00 2001
From: Paul Wise <pabs@debian.org>
Date: Thu, 8 May 2014 13:45:19 +0800
Subject: [PATCH] Add some handling of Debian/DebConf/SPI SSL links
---
scripts/ssl_links | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 130 insertions(+)
create mode 100755 scripts/ssl_links
diff --git a/scripts/ssl_links b/scripts/ssl_links
new file mode 100755
index 0000000..ebcb8d2
--- /dev/null
+++ b/scripts/ssl_links
@@ -0,0 +1,130 @@
+#!/bin/sh
+set -e
+ret=0
+nl='
+'
+alioth_ssl_sites=$(cat <<'END'
+alioth.debian.org
+arch.debian.org
+bzr.debian.org
+cvs.debian.org
+darcs.debian.org
+git.debian.org
+hg.debian.org
+svn.debian.org
+END
+)
+alioth_ssl_regexes=$(cat <<'END'
+http://[-0-9a-zA-Z]\+\.alioth\.debian\.org
+END
+)
+# List from https://anonscm.debian.org/gitweb/?p=mirror/dsa-puppet.git;a=tree;f=modules/ssl/files/servicecerts
+dsa_ssl_sites=$(cat <<'END'
+bits.debian.org
+bugs-master.debian.org
+bugs.debian.org
+buildd.debian-ports.org
+buildd.debian.org
+contributors.debian.org
+db.debian.org
+dsa.debian.org
+ftp-master.debian.org
+lintian.debian.org
+lists.debian.org
+munin.debian.org
+nagios.debian.org
+nm.debian.org
+openstack.bm.debian.org
+packages.debian.org
+packages.qa.debian.org
+people.debian.org
+piuparts.debian.org
+puppet-dashboard.debian.org
+qa.debian.org
+release.debian.org
+rt.debian.org
+rtc.debian.org
+security-master.debian.org
+security-tracker.debian.org
+sip-ws.debian.org
+sso.debian.org
+tracker.debian.org
+udd.debian.org
+vote.debian.org
+wiki.debian.org
+www.debian.org
+END
+)
+debconf_ssl_sites=$(cat <<'END'
+summit.debconf.org
+END
+)
+spi_ssl_sites=$(cat <<'END'
+END
+)
+nossl_sites=$(cat <<'END'
+gobby.debian.org
+nossl.people.debian.org
+popcon.debian.org
+search.debian.org
+END
+)
+nossl_regexes=$(cat <<'END'
+https://debconf[0-9]\+\.debconf\.org/
+https://penta\.debconf\.org/dc[0-9]\+_schedule
+END
+)
+
+for site in $alioth_ssl_sites $dsa_ssl_sites $debconf_ssl_sites $spi_ssl_sites
+do
+ if grep -qF "http://$site"; "$@" 2>/dev/null ; then
+ bad_ssl_urls="$bad_ssl_urls${nl}http://$site";
+ fi
+done
+
+for regex in $alioth_ssl_regexes $dsa_ssl_regexes $debconf_ssl_regexes
+do
+ urls="$(grep -oh "$regex" "$@" 2>/dev/null | sort -u)"
+ if [ "x$urls" != x ] ; then
+ bad_ssl_urls="$bad_ssl_urls${nl}$urls"
+ fi
+done
+
+for site in $nossl_sites
+do
+ if grep -qF "https://$site"; "$@" 2>/dev/null ; then
+ bad_nossl_urls="$bad_nossl_urls${nl}https://$site";
+ fi
+done
+
+for regex in $nossl_regexes
+do
+ urls="$(grep -oh "$regex" "$@" 2>/dev/null | sort -u)"
+ if [ "x$urls" != x ] ; then
+ bad_nossl_urls="$bad_nossl_urls${nl}$urls"
+ fi
+done
+
+if [ "x$bad_ssl_urls" != x ] ; then
+ cat <<EOF
+Commit contains these http: URLs, please change them to https:
+so that users visiting them are protected by SSL.
+$bad_ssl_urls
+EOF
+ ret=1
+fi
+
+if [ "x$bad_nossl_urls" != x ] ; then
+ cat <<EOF
+Commit contains these https: URLs, please change them to http:
+Some Debian/DebConf/SPI/etc websites do not have HTTPS support or are
+only signed by SPI and not by any SSL CA that is trusted by browsers
+outside of Debian, we should avoid linking to https: versions of
+these websites so that people not using Debian don't get errors
+they may not understand.
+$bad_nossl_urls
+EOF
+ ret=1
+fi
+
+exit $ret
--
2.1.1
Reply to: