On 27 October 2013 13:34, Rob Weir <robw...@apache.org> wrote: > On Sun, Oct 27, 2013 at 4:05 AM, janI <j...@apache.org> wrote: > > On 27 October 2013 02:58, Ariel Constenla-Haile <arie...@apache.org> > wrote: > > > >> On Sat, Oct 26, 2013 at 09:30:06PM -0400, Rob Weir wrote: > >> > On Sat, Oct 26, 2013 at 5:05 PM, Ariel Constenla-Haile > >> > <arie...@apache.org> wrote: > >> > > On Sat, Oct 26, 2013 at 10:54:59PM +0200, janI wrote: > >> > >> Hi. > >> > >> > >> > >> www.openoffice.org now accept both http: and https: as announced > >> > >> earlier. > >> > >> > >> > >> We have however seen that e.g. product.css contain image tag with > >> > >> http://xxx. All references must be relative (without http: and > >> > >> https:). I hope the web admins can do make the needed changes. > >> > > > >> > > There are 26,349 matches of "http://www.openoffice.org/" in > >> > > ooo-site. > >> > > > >> > > >> > We *are not* going to change to a system that requires that links to > >> > www.openoffice.org are all https. I hope that is not what is being > >> > suggested. Remember, we have 10's of thousands of *external* links to > >> > our website that we do control and cannot change. > >> > > >> > Please someone, tell me that this is not what is being suggested here. > >> > > > > No its not, as I wrote in the part you quote, www.openoffice.org will > > continue to have https: but also https: as pr request from the project. > > > > But if I might remind you sent a mail to infra, asking why https: was not > > implemented for www.openoffice.org, which I and pctony responded to. > > > > And if you look at INFRA-6608, you will see a comment from andrea 3 > August: > > "And we will want to use it, even though there is no authentication > there, > > for > > http(s)://www.openoffice.org > > (this is mainly because we receive a steady, even if low, amount of > > complaints from users who cannot browse our main site on HTTPS). " > > > > > > We infra have done exactly as the project asked us to do according to > > INFRA-6608, and that is not correct ?? > > > > There is nothing wrong, IMHO, with supporting https for > www.openoffice.org. There is nothing wrong, IMHO, with *not* > supporting https for www.openoffice.org as well. The problem has been > the confusion caused to users when they get an error about an invalid > certificate when using https with www.openoffice, due to the > apache.org certificate previously associated with it. The mismatch > was the issue. But it should be sufficient to support https on > request for the www subdomain. We don't have any security reason to > have it be the default for the static website, or at least none that I > know of. > > So that is the question: support https versus automatically > redirecting http to https. >
May I politely correct, NO one has talked about redirection of www.openoffice.org. If you read my (and earlier) mails, I have written support http: and https: You are able to view www.openoffice.org as: http://www.openoffice.org or https://www.openoffice.org that is the users choice. Redirection is only mentioned for wiki.o.o and forum.o.o, where it is needed for security reasons. You are able to call http://wiki.openoffice.org, but will be redirected to https://wiki.openoffice.org and all further communication will be https: > My concern, as stated, was regarding the stability of external URLs > using http and whether they would continue to resolve. I wanted to > have some discussion before we started to make bulk edit changes to > thousands of web and wiki pages. I don't think this request was > unreasonable. > The request is not at all unreasonable, but 2 things: - I read about 10 mails with numbers and "will not do", before infra was given a thank for spending a saturday solving a AOO problem. - The bulk edit changes should have discussed and made a while ago, when or before the ticket was issued, and at least before AOO send mails to infra asking why it isnt implemented. It is a bit late (but not causing real problems) to do it afterward. This lack of work is the reason, I try so hard to get https://wiki tested, because I know we have exact the same problem, with the difference http://wiki will not be available. I have spent my morning seeing how the bulk changes can be done, and it can be done automatic: - for www, do "svn co", and use e.g. sed to edit all pages with a regex. Templates is something I dont know, so that might change the work a bit. - for wiki, any vm-admin can open mysql, and do a update statement on the text tables. - for forum any vm-admin can open mysql, and do update statement on the text tables, there might be a config issue with the avatars. Infra secures that www/wiki/forum works technically and e.g. wiki configuration was changed to allow https: forum configuration is prepared. Infra does not and cannot modify the content of the services. > > > I actually never understood why https: was wanted on www.openoffice.org, > > but it was not a problem to do it, so it was done. > > > > Hopefully what I wrote above clarifies. > > > today is a day where I am less proud of being AOO-PMC. We (AOO) have > been > > after infra to get a certificate and get it implemented. Yesterday mark > > took a big chunk of time and with some help from me, got it implemented. > I > > think infra should have a "thank you", instead ! > > > > > > I have of course a double heart in this situation, but I am sure this is > > not a good way, to work together. > > > > Jan, you don't live in a question-free zone. No one's actions in this > project are immune from other project members expressing opinions or > asking questions. Understanding that and accepting that is a good way > to work together. > I have no problem with questions, that is a good way of learning more. I hope I have explained that part above. But asking infra why https: is not implemented, without having our own ground work done, is asking for trouble. > And thanks for your efforts. They are, as always, greatly appreciated. > no problem, I am just trying to implement infra-6608. I hope the wiki/forum moves can be done without these unpleasant waves afterward ! Please understand why this is a big issue for me, this is in no way personal but infra like all other projects consist of volunteers, and if you as volunteer have 10 tasks to do, and 1 is from someone that often react negative, I bet nearly everybody would do the 9 tasks first, hope for 9 other nice tasks before having to do the 1. In other words its human that negative tasks get low priority, and I dont want AOO to be in that position. FYI, It happened now was because I spoke with mark about some code-signing cert issues, and we found a way to share the work. Had I foreseen the waves I would honestly have done 9 other tasks. rgds jan I. > -Rob > > > rgds > > jan I. > > > > > > > >> > >> were you have href="http://www.openoffice.org/some_resource", it should > >> be href="/some_resource" (nothing crazy, but a good practice). > >> > >> Grepping href=["']http://www.openoffice.org/ gives 25,026 matches. > >> > >> > >> Regards > >> -- > >> Ariel Constenla-Haile > >> La Plata, Argentina > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > >