[racket-users] Re: HTTPS for Racket web sites and packages

Sat, 09 Jan 2016 15:46:31 -0800

Can you change also the snapshots in utah.edu to access to the catalog with https? The server supports https. 

On 09/01/16 04:54, Matthew Flatt wrote:

Sam, Ryan, I, and others have been moving Racket services to HTTPS:

   https://racket-lang.org/

We're changing all references to use HTTPS, so if you go to
"http://racket-lang.org"; (no "s"), the "Download" link takes you to
"https://download.racket-lang.org/";. The default download button on
that page similarly points to "https://mirror.racket-lang.org/";.

We have not yet started enforcing HTTPS on any of our pages, either
through a redirect from "http://"; to "https://"; or through HSTS. We
want to gain more confidence in our setup before taking that step.


Packages and catalog:

You can set "https://pkgs.racket-lang.org/"; as your package catalog,
and we've made that the default for the next release. Beware, however,
that `raco pkg` in v6.3 and earlier does not actually make a secure
connection for HTTPS references (because it doesn't validate the
server's certificate); we've fixed that for the next release.

With the development version of Racket, if you want to use an insecure
HTTPS reference for some reason with `raco pkg` (e.g., to a server with
a self-signed certificate), set the `PLT_PKG_SSL_NO_VERIFY` environment
variable.


General security note:

Except for "https://mirror.racket-lang.org";, HTTPS content is provided
via CloudFlare from an HTTP (not HTTPS) access of S3. So, you can only
trust the content of "https://pkgs.racket-lang.org"; to the degree that
you trust Amazon, CloudFlare, and the channel between them to provide
the data that we put on S3. We may eventually strengthen the channel
between our data (especially package metadata) and HTTPS services, but
we're not working on that right now.




--
You received this message because you are subscribed to the Google Groups "Racket 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to racket-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to