Re: people.debian.org will move from ravel to paradis and become HTTPS only
2014-07-15 21:39 GMT+02:00 Philipp Kern <pkern@debian.org>:
> On 2014-07-15 16:00, Thorsten Glaser wrote:
>>>
>>> Martin Zobel-Helas dixit:
>>>>
>>>> Furthermore, we will change the people.debian.org web-service such that
>>>> only HTTPS connections will be supported (unencrypted requests will be
>>>> redirected).
>>
>> […]
>>>
>>> Take it as a heads-up to maybe move stuff elsewhere, if it needs http
>>> (e.g. APT repos work well via http since they use PGP for signatures).
>>
>> Actually, this will break most DDs’ APT repositories because
>> apt-transport-https is usually not installed.
>
>
> Pointing machines to a non-mirrored SPoF running on donated project
> resources was bound to be not such a great idea anyway.
Which place would be better for hosting DD's APT repositories? I had
the impression that p.d.o were the usual place for them and it served
quite well.
I would also be interested in keeping plain HTTP to not break
repositories (including mine :-)).
Somehow Steve's question regarding the rationale behind disabling HTTP
got cut out from email responses so let me raise it again:
Why is it important to disable HTTP?
Could it be kept enabled for APT repositories following some special
directory structure like http://p.d.o/~user/ppa/* ?
2014-07-14 0:19 GMT+02:00 Steve Langasek <vorlon@debian.org>:
> Hi Martin,
>
> On Sun, Jul 13, 2014 at 10:13:10PM +0200, Martin Zobel-Helas wrote:
>> Furthermore, we will change the people.debian.org web-service such that
>> only HTTPS connections will be supported (unencrypted requests will be
>> redirected).
>
> Could you elaborate on why people.d.o will enforce https? If http
> connections are still allowed, this doesn't provide any protection from a
> MITM attack for most users; and the contents of people.d.o are not generally
> security sensitive. Is this part of a broader effort by DSA to increase use
> of https by default as a deterrent to large-scale traffic sniffing?
>
Cheers,
Balint
Reply to: