[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

Op zondag 20 juli 2014 13:52:20 schreef Peter Palfrader:
> On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > These are all good arguments for enabling HTTPS and making it the
> > default (which I've said repeatedly is a move that I support, or at the
> > very least don't oppose), but not for *disabling* the possibility of
> > plain HTTP.
> 
> Pray tell: How do you make it default.

- Enable HSTS on the domain
- Run "sed -i -e 's,http://people.debian.org,https://people.debian.org,g'"
  over a webwml export.
- Create a robots.txt file which is visible from the HTTP export (but
  not from the HTTPS one) which looks like this:

  User-Agent: *
  Disallow: /

With those three easy steps, the only URLs that people will ever find
will be HTTPS URLs. 99% of your traffic will be HTTPS traffic, and that
will be a good thing. Yet when necessary, doing unencrypted HTTP will
still be possible.

It still misses something like step 2 for wiki.debian.org and "all other
stuff out there", but because of step 1 that shouldn't be *too* much of
a problem.

This will also help in, say, the (granted, hypothetical) scenario where
a package in unstable breaks the system so badly that downloading files
over HTTPS is no longer possible and a maintainer wants to post a
(GPG-signed) patch over on http://people.debian.org

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: