Re: security-tracker now on https?
On Fri, 17 May 2013, Thijs Kinkhorst wrote:
> Hi dsa,
>
> On Thu, April 4, 2013 11:10, Thijs Kinkhorst wrote:
> > Hi admins,
> >
> > It was noted that the security tracker now blanket redirects to
> > https://security-tracker.debian.org. This is fine of course for us DD's,
> > but it presents a problem for externals using it. The tracker is often
> > used by e.g. different distributions like RH and Gentoo, which may not
> > have the SPI CA in their trust store by default and thus makes it
> > inconvenient to them.
> >
> > We're not aware of any confidentiality sensitive information on that web
> > site so enforcing https here does not seem strictly necessary.
> >
> > Is it possible to revert this change?
>
> Did you get around to looking into this issue yet?
It's still on our table. There appear to be no really good solutions to
the ssl mafia mess.
The "solution" I'm favouring right now is to get a single *.debian.org
wildcard from the cartell and spread it far and wide.
This actually *reduces* security, but it will stop people from
complaining. Win?
-- weasel
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
Reply to: