On Thu, Jul 31, 2014 at 01:26:09PM +0200, Jakub Wilk wrote:
> * Jakub Wilk , 2014-07-30, 22:26:
> >>WARNING: The following packages cannot be authenticated!
> >>apt-transport-https
> >>Install these packages without verification? [y/N]
> >>E: Some packages could not be authenticated
> [...]
> >But
* Jakub Wilk , 2014-07-30, 22:26:
WARNING: The following packages cannot be authenticated!
apt-transport-https
Install these packages without verification? [y/N]
E: Some packages could not be authenticated
[...]
But if the authentication troubles are really related to the
HTTP->HTTPS switch, th
* Jakub Wilk , 2014-07-30, 22:26:
* Agustin Martin , 2014-07-28, 13:06:
This can actually lead to a weird behavior for users. In a system
having something under people.debian.org in apt sources.list and
apt-transport-https not installed, in today's testing upgrade,
$ sudo apt-get update
[...]
* Agustin Martin , 2014-07-28, 13:06:
This can actually lead to a weird behavior for users. In a system
having something under people.debian.org in apt sources.list and
apt-transport-https not installed, in today's testing upgrade,
$ sudo apt-get update
[...]
E: The method driver /usr/lib/apt/
On Tue, Jul 15, 2014 at 02:00:12PM +, Thorsten Glaser wrote:
> Dixi quod…
>
> >Martin Zobel-Helas dixit:
> >
> >>Furthermore, we will change the people.debian.org web-service such that
> >>only HTTPS connections will be supported (unencrypted requests will be
> >>redirected).
> […]
> >Take it
On Mon, 21 Jul 2014, Jakub Wilk wrote:
> * Peter Palfrader , 2014-07-20, 12:07:
> >we have been moving towards https for most services over the last
> >12 months.
>
> Is that intentional that the http->https redirect for bugs.d.o is
> only temporary (302)? Should we update devscripts and
> python
Hi!
On Mon, 2014-07-21 at 19:44:18 +0200, Jakub Wilk wrote:
> * Peter Palfrader , 2014-07-20, 12:07:
> >we have been moving towards https for most services over the last 12
> >months.
>
> Is that intentional that the http->https redirect for bugs.d.o is only
> temporary (302)? Should we update de
* Peter Palfrader , 2014-07-20, 12:07:
we have been moving towards https for most services over the last 12
months.
Is that intentional that the http->https redirect for bugs.d.o is only
temporary (302)? Should we update devscripts and python-debianbts to use
HTTPS for accessing this host?
* Jacob Appelbaum , 2014-07-21, 13:09:
I'm also curious - is there a Debian developer who will not use HTTPS
but does use SSH to access servers?
Very unlikely, with or without the “but …” part. (But I'm afraid I don't
understand what point you're trying to make.)
Is Debian still offering te
Hi,
On Sun, Jul 20, 2014, at 08:47, Tollef Fog Heen wrote:
> Not many HTTP clients support DANE, unfortunately, and MITM-ing
> DNSSEC-secured domains is a bit more effort than just MITM-ing a
> plaintext HTTP connection.
my team has just produced js-types version of DNSSEC/TLSA Validator
so it wo
On Mon, Jul 21, 2014 at 02:38:14PM +, Jacob Appelbaum wrote:
> On 7/21/14, Iain R. Learmonth wrote:
> By that reasoning, we may not authenticate except by sending plaintext
> passwords over such a network. That seems to either be an old policy,
> a mistake or a network that is simply hostile t
On 7/21/14, Iain R. Learmonth wrote:
> Hi Jacob,
>
> On Mon, Jul 21, 2014 at 01:14:14PM +, Jacob Appelbaum wrote:
>> I believe you are mistaken. My understanding is that you're not
>> supposed to use crypto on the radio layer and IP packets are already
>> several layers away from that concern.
On Mon, Jul 21, 2014 at 9:32 PM, Ondřej Surý wrote:
> The current problem with HTTPS is that it bundles encryption with
> authenticity.
> This needs to be unbundled[1]. My opinion is that even a transparent
> opportunistic encryption (f.e. like DANE implementation in postfix)
> would improve the o
Hi Jacob,
On Mon, Jul 21, 2014 at 01:14:14PM +, Jacob Appelbaum wrote:
> I believe you are mistaken. My understanding is that you're not
> supposed to use crypto on the radio layer and IP packets are already
> several layers away from that concern. It would be great to hear from
> a HAM radio
On Mon, Jul 21, 2014, at 13:12, Holger Levsen wrote:
> Hi Iain,
>
> On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote:
> > The main one is that there are places in the world you just can't use HTTPS
> > for legal reasons [...]
>
> I'm curious, can you name one?
http://en.wikipedia.org/wiki/Res
On 7/21/14, Iain R. Learmonth wrote:
> On Mon, Jul 21, 2014 at 01:12:37PM +0200, Holger Levsen wrote:
>> Hi Iain,
>>
>> On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote:
>> > The main one is that there are places in the world you just can't use
>> > HTTPS
>> > for legal reasons [...]
>>
>> I'm c
On 7/21/14, Holger Levsen wrote:
> Hi Iain,
>
> On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote:
>> The main one is that there are places in the world you just can't use
>> HTTPS
>> for legal reasons [...]
>
> I'm curious, can you name one?
>
I'm also curious - is there a Debian developer who
Hi,
On Montag, 21. Juli 2014, Iain R. Learmonth wrote:
> The United Kingdom when using IPv4 over AX.25 on Amateur Radio. Encryption
> is illegal because it goes against the self-policing nature of the amateur
> bands.
and so are probably prison inmates, workers of armed forces and other who
migh
On Mon, Jul 21, 2014 at 01:12:37PM +0200, Holger Levsen wrote:
> Hi Iain,
>
> On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote:
> > The main one is that there are places in the world you just can't use HTTPS
> > for legal reasons [...]
>
> I'm curious, can you name one?
The United Kingdom whe
Hi Iain,
On Sonntag, 20. Juli 2014, Iain R. Learmonth wrote:
> The main one is that there are places in the world you just can't use HTTPS
> for legal reasons [...]
I'm curious, can you name one?
cheers,
Holger
signature.asc
Description: This is a digitally signed message part.
Op maandag 21 juli 2014 11:34:49 schreef Peter Palfrader:
> On Mon, 21 Jul 2014, Wouter Verhelst wrote:
> > Are you talking about something else? If so, can you clarify in more
> > than two words?
>
> Sure, I can clarify:
>
> As I understand the RFC, servers MUST NOT send HSTS headers on insecure
Op maandag 21 juli 2014 11:34:53 schreef Thijs Kinkhorst:
> On Sun, July 20, 2014 21:34, Steve Langasek wrote:
> > Because it's not an improvement to the service; it's a change that makes
> > the *service* to Debian developers worse, for political reasons.
>
> I don't agree that it gets worse
You'
On Mon, 21 Jul 2014, Wouter Verhelst wrote:
> Op zondag 20 juli 2014 21:22:48 schreef Peter Palfrader:
> > On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > > If HSTS is enabled and you access people.debian.org even once (and you
> > > don't clear out their entire cache for as long as the HSTS timeo
Op maandag 21 juli 2014 17:39:44 schreef Paul Wise:
> On Mon, Jul 21, 2014 at 5:22 PM, Wouter Verhelst wrote:
> > Yes it does.
>
> No...
>
> > I just tried chromium and iceweasel on this laptop (running sid, a few
> > days out of date). Both will turn "http://www.debian.org"; into
> > "https://ww
On Mon, Jul 21, 2014 at 5:22 PM, Wouter Verhelst wrote:
> Yes it does.
No...
> I just tried chromium and iceweasel on this laptop (running sid, a few
> days out of date). Both will turn "http://www.debian.org"; into
> "https://www.debian.org"; due to HSTS. This works whether I enter the
> "http:
On Sun, July 20, 2014 21:34, Steve Langasek wrote:
> Because it's not an improvement to the service; it's a change that makes
> the *service* to Debian developers worse, for political reasons.
I don't agree that it gets worse or that it is for political reasons, but
even if it were, it being polit
Op zondag 20 juli 2014 21:22:48 schreef Peter Palfrader:
> On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > If HSTS is enabled and you access people.debian.org even once (and you
> > don't clear out their entire cache for as long as the HSTS timeout
> > lives), then HSTS will ensure that the HTTP UR
On 07/21/2014 12:19 AM, Peter Palfrader wrote:
> On Sun, 20 Jul 2014, Wouter Verhelst wrote:
>
These are all good arguments for enabling HTTPS and making it the
default (which I've said repeatedly is a move that I support, or at the
very least don't oppose), but not for *disabling*
Hi,
On Sun, Jul 20, 2014 at 07:30:35PM +0100, Colin Watson wrote:
> I'll hopefully get to finishing this at DebConf; I think I merged most
> of the safe and independent pieces already, and mostly just need to deal
> with wget-udeb. I'm not expecting to backport this to wheezy though.
yeah, it se
On Mon, Jul 21, 2014 at 12:05:56AM +0200, Stefano Zacchiroli wrote:
> On Sun, Jul 20, 2014 at 09:00:05PM +0200, Peter Palfrader wrote:
> > IMO, a dedicated vhost name sounds much more appealing than magic apache
> > configs. I wonder whether it should use the same UserDirs.
>
> Oh, right. With d
On Sun, Jul 20, 2014 at 09:00:05PM +0200, Peter Palfrader wrote:
> IMO, a dedicated vhost name sounds much more appealing than magic apache
> configs. I wonder whether it should use the same UserDirs.
Oh, right. With different UserDirs (bonus point: the default one,
public_html/, being the one t
On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> If HSTS is enabled and you access people.debian.org even once (and you
> don't clear out their entire cache for as long as the HSTS timeout
> lives), then HSTS will ensure that the HTTP URL gets turned into an
> HTTPS URL automatically.
Alas, no.
--
On Sun, Jul 20, 2014 at 01:19:58PM +0200, Thijs Kinkhorst wrote:
> On Sun, July 20, 2014 08:15, Wouter Verhelst wrote:
> > Op zaterdag 19 juli 2014 22:54:47 schreef u:
> >> > Please note that there remain cases where accessing HTTPS is difficult
> >> > or impossible. One of these (but by no means t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 07/20/2014 03:08 PM, Wouter Verhelst wrote:
> Op zondag 20 juli 2014 18:19:14 schreef Peter Palfrader:
>> None of these brings people who type in people.debian.org into
>> their browser to https.
>
> If they type it in because they want to avoi
On Sun, 20 Jul 2014, Stefano Zacchiroli wrote:
> AFAICT the only technical change that will do that (sanely) is an
> HTTP-level redirection from http://(.*) to https://$1 .
That is my understanding as well.
> - it's not entirely clear how much extra work implementing this would
> require. In
Op zondag 20 juli 2014 18:19:14 schreef Peter Palfrader:
> On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > > > These are all good arguments for enabling HTTPS and making it the
> > > > default (which I've said repeatedly is a move that I support, or at
> > > > the
> > > > very least don't oppose),
On Sun, Jul 20, 2014 at 08:23:58PM +0200, Philipp Kern wrote:
> On 2014-07-20 08:15, Wouter Verhelst wrote:
> >True, but debian-installer simply does not support any signed/encrypted
> >preseeding.
> […]
> >Granted, these are probably bugs, and IIRC Colin was working on
> >providing HTTPS support f
On 2014-07-20 08:15, Wouter Verhelst wrote:
True, but debian-installer simply does not support any signed/encrypted
preseeding.
[…]
Granted, these are probably bugs, and IIRC Colin was working on
providing HTTPS support for jessie. Still, I while I support enabling
HTTPS for people.d.o, I think
On Sun, Jul 20, 2014 at 06:19:14PM +0200, Peter Palfrader wrote:
> None of these brings people who type in people.debian.org into their
> browser to https.
Right.
AFAICT the only technical change that will do that (sanely) is an
HTTP-level redirection from http://(.*) to https://$1 . Having that
On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > > These are all good arguments for enabling HTTPS and making it the
> > > default (which I've said repeatedly is a move that I support, or at the
> > > very least don't oppose), but not for *disabling* the possibility of
> > > plain HTTP.
> >
> > Pr
On Sun, Jul 20, 2014, at 12:06, Tim Retout wrote:
> On 20 July 2014 10:07, Wouter Verhelst wrote:
> > With the state of the CA cartel these days, I have little
> > trust in the strength of HTTPS as a verification mechanism, and so I
> > wouldn't trust a file to be correct even if it came through a
Op zondag 20 juli 2014 13:28:43 schreef Marc Haber:
> On Sun, 20 Jul 2014 13:21:03 +0200, Wouter Verhelst wrote:
> >Op zondag 20 juli 2014 11:38:13 schreef Marc Haber:
> >> I might me missing something, and I admit not having read the entire
> >> thread, but how would they have access to private k
Op zondag 20 juli 2014 13:52:20 schreef Peter Palfrader:
> On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > These are all good arguments for enabling HTTPS and making it the
> > default (which I've said repeatedly is a move that I support, or at the
> > very least don't oppose), but not for *disabli
W dniu 20/07/2014 11:01, Peter Palfrader napisał(a):
I do think that if DSA are going to enforce such a policy, they should
be
able to explain why.
"What Ondřej said"
a.k.a. “because”. Do try better.
– j.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject o
On Sun, 20 Jul 2014, Iain R. Learmonth wrote:
> > Pray tell: How do you make it default.
>
> See: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
>
> It sends a header to tell you you should be using HTTPS.
Alas, that's not what HSTS is about or for. It cannot be used for this.
-
On Sun, Jul 20, 2014 at 01:52:20PM +0200, Peter Palfrader wrote:
> On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> > These are all good arguments for enabling HTTPS and making it the
> > default (which I've said repeatedly is a move that I support, or at the
> > very least don't oppose), but not for
On Sun, Jul 20, 2014 at 12:03:59PM +0200, Jakub Wilk wrote:
> My proposal:
> http://nohttps.people.debian.org/~user/file
This is similar to my proposal[1], using a seperate VHOST that would allow HTTP
access. It's clear in the URL what is going on, and most people will be
using HTTPS but there are
On Sun, Jul 20, 2014 at 10:38:23AM +0200, Matthias Urlichs wrote:
> > Pervasive monitoring.
>
> In and of itself, if you only access publicly-availble files, that's not a
> threat.
1 Security service has unknown exploit.
2 Pervasive monitoring sees you install a package from somewhere over HTTP.
On Sun, 20 Jul 2014, Wouter Verhelst wrote:
> These are all good arguments for enabling HTTPS and making it the
> default (which I've said repeatedly is a move that I support, or at the
> very least don't oppose), but not for *disabling* the possibility of
> plain HTTP.
Pray tell: How do you make
]] Wouter Verhelst
> AFAIK, people.debian.org does not allow running server-side HTTP scripts
> (and even if it does, I think that's a bad idea and we should disable it
> ASAP). As such, people.debian.org is not an interface for reading mail
> in your browser over HTTP, or doing IRC, or whatnot.
On Sun, 20 Jul 2014 13:21:03 +0200, Wouter Verhelst wrote:
>Op zondag 20 juli 2014 11:38:13 schreef Marc Haber:
>> I might me missing something, and I admit not having read the entire
>> thread, but how would they have access to private key material?
>
>Beyond GPG keys there are also DNSSEC privat
Op zondag 20 juli 2014 11:38:13 schreef Marc Haber:
> On Sun, 20 Jul 2014 10:45:10 +0200, Wouter Verhelst wrote:
> >Op zondag 20 juli 2014 09:23:55 schreef u:
> >> On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
> >> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> >>
On Sun, July 20, 2014 08:15, Wouter Verhelst wrote:
> Op zaterdag 19 juli 2014 22:54:47 schreef u:
>> > Please note that there remain cases where accessing HTTPS is difficult
>> > or impossible. One of these (but by no means the only one) is the
>> > current release of debian-installer: the wget im
Op zondag 20 juli 2014 12:53:59 schreef Jeroen Dekkers:
> At Sun, 20 Jul 2014 11:07:16 +0200,
>
> Wouter Verhelst wrote:
> > Even ignoring that, assuming people trust that code off
> > people.debian.org is "safe", if they run a validating DNS resolver they
> > don't run more of a risk than if they
Op zondag 20 juli 2014 11:06:00 schreef Tim Retout:
> On 20 July 2014 10:07, Wouter Verhelst wrote:
> > With the state of the CA cartel these days, I have little
> > trust in the strength of HTTPS as a verification mechanism, and so I
> > wouldn't trust a file to be correct even if it came through
At Sun, 20 Jul 2014 11:07:16 +0200,
Wouter Verhelst wrote:
> Even ignoring that, assuming people trust that code off
> people.debian.org is "safe", if they run a validating DNS resolver they
> don't run more of a risk than if they use only HTTPS.
I don't really follow that. A validating DNS resolv
On Sun, 20 Jul 2014, Ondřej Surý wrote:
> Pervasive monitoring. Really we should introduce encryption
> *everywhere*.
And indeed we have been moving towards https for most services over the
last 12 months.
www is still not done, due to unfortunate push-bash by the service
owners, but most others
On Sun, 20 Jul 2014, Steve Langasek wrote:
> On Sun, Jul 20, 2014 at 09:23:55AM +0200, Ondřej Surý wrote:
> > On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
> > > > There are lots of attack vectors. It's not a response to a single
> > > > attack being exploited in the wild.
>
> > > So na
On Sun, 20 Jul 2014 10:45:10 +0200, Wouter Verhelst wrote:
>Op zondag 20 juli 2014 09:23:55 schreef u:
>> On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
>> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
>> > people.debian.org then due to DANE you can MITM it for HTTP
On 20 July 2014 10:07, Wouter Verhelst wrote:
> With the state of the CA cartel these days, I have little
> trust in the strength of HTTPS as a verification mechanism, and so I
> wouldn't trust a file to be correct even if it came through an HTTPS
> connection that validates. Instead, I would only
* Tollef Fog Heen , 2014-07-20, 08:47:
Would you be happy with
http://people.debian.org/THIS-IS-INSECURE/YES-I-WANT-TO-PROCEED/~user/file
as the URLs?
No need to be condescending. :-(
Also, I wouldn't say “insecure”, which might be vague in this context.
My proposal:
http://nohttps.people.d
On Sun, Jul 20, 2014 at 09:23:55AM +0200, Ondřej Surý wrote:
> On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
> > > There are lots of attack vectors. It's not a response to a single
> > > attack being exploited in the wild.
> > So name one?
> Pervasive monitoring. Really we should introd
Op zondag 20 juli 2014 08:47:07 schreef Tollef Fog Heen:
> ]] Wouter Verhelst
>
> > Op zaterdag 19 juli 2014 22:54:47 schreef u:
> > > ]] Wouter Verhelst
> > >
> > > > Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > > > > Furthermore, we will change the people.debian.org web-servi
Op zondag 20 juli 2014 09:23:55 schreef u:
> On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
> > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> > people.debian.org then due to DANE you can MITM it for HTTP as well as
> > HTTPS, so forcing HTTPS really doesn't gain you
Hi,
Ondřej Surý:
> Pervasive monitoring.
In and of itself, if you only access publicly-availble files, that's not a
threat.
> Really we should introduce encryption
> *everywhere*.
>
This change does not introduce encryption.
It disables the option not to use encryption.
I can accept that e.g.
On Sun, Jul 20, 2014, at 08:15, Wouter Verhelst wrote:
> Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> people.debian.org then due to DANE you can MITM it for HTTP as well as
> HTTPS, so forcing HTTPS really doesn't gain you much.
But that implies that the attacker has acces
]] Wouter Verhelst
> Op zaterdag 19 juli 2014 22:54:47 schreef u:
> > ]] Wouter Verhelst
> > > Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > > > Furthermore, we will change the people.debian.org web-service such that
> > > > only HTTPS connections will be supported (unencrypted
Op zaterdag 19 juli 2014 22:54:47 schreef u:
> ]] Wouter Verhelst
> > Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > > Furthermore, we will change the people.debian.org web-service such that
> > > only HTTPS connections will be supported (unencrypted requests will be
> > > redirect
]] Wouter Verhelst
> Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> > Furthermore, we will change the people.debian.org web-service such that
> > only HTTPS connections will be supported (unencrypted requests will be
> > redirected).
>
> Why?
Because the world is a nastier place
Op zondag 13 juli 2014 22:13:10 schreef Martin Zobel-Helas:
> Furthermore, we will change the people.debian.org web-service such that
> only HTTPS connections will be supported (unencrypted requests will be
> redirected).
Why?
Please note that there remain cases where accessing HTTPS is difficult
2014-07-17 2:20 GMT+02:00 brian m. carlson :
> On Wed, Jul 16, 2014 at 11:43:17PM +0100, Steven Chamberlain wrote:
>> Some sites (I mean, deployments) like to use a caching proxy, especially
>> if many machines use the same resource, and/or bandwidth is scarce. Or
>> even just one machine accessin
On Wed, Jul 16, 2014 at 11:43:17PM +0100, Steven Chamberlain wrote:
> Some sites (I mean, deployments) like to use a caching proxy, especially
> if many machines use the same resource, and/or bandwidth is scarce. Or
> even just one machine accessing the same resource often. Maybe this
> won't app
Some sites (I mean, deployments) like to use a caching proxy, especially
if many machines use the same resource, and/or bandwidth is scarce. Or
even just one machine accessing the same resource often. Maybe this
won't apply to anything particular on people.d.o, but certainly a lot of
websites are
On Wed, 2014-07-16 at 19:50 +0200, Bálint Réczey wrote:
> 2014-07-15 21:39 GMT+02:00 Philipp Kern :
> > On 2014-07-15 16:00, Thorsten Glaser wrote:
> >>>
> >>> Martin Zobel-Helas dixit:
>
> Furthermore, we will change the people.debian.org web-service such that
> only HTTPS connectio
2014-07-15 21:39 GMT+02:00 Philipp Kern :
> On 2014-07-15 16:00, Thorsten Glaser wrote:
>>>
>>> Martin Zobel-Helas dixit:
Furthermore, we will change the people.debian.org web-service such that
only HTTPS connections will be supported (unencrypted requests will be
redirected).
>
On 2014-07-15 16:00, Thorsten Glaser wrote:
Martin Zobel-Helas dixit:
Furthermore, we will change the people.debian.org web-service such
that
only HTTPS connections will be supported (unencrypted requests will
be
redirected).
[…]
Take it as a heads-up to maybe move stuff elsewhere, if it nee
Dixi quod…
>Martin Zobel-Helas dixit:
>
>>Furthermore, we will change the people.debian.org web-service such that
>>only HTTPS connections will be supported (unencrypted requests will be
>>redirected).
[…]
>Take it as a heads-up to maybe move stuff elsewhere, if it needs http
>(e.g. APT repos work
h01ger wrote:
>On Sonntag, 13. Juli 2014, Thorsten Glaser wrote:
>> >Furthermore, we will change the people.debian.org web-service such that
>> >only HTTPS connections will be supported (unencrypted requests will be
>> >redirected).
>> This means that requests from wget (since it switched from Open
On Mon, Jul 14, 2014 at 10:36:10AM +0100, Iain R. Learmonth wrote:
> If Debian stops supporting embedded platforms, it stops being a universal
> operating system.
FSVO universal.
I think this is not a good argument unless/until we have some more-or-less
common and official agreement about what does
On Mon, Jul 14, 2014 at 11:16:01AM +0200, Holger Levsen wrote:
> am I getting this right, that there are architectures which are too slow to
> use https??? if so: "wow"...
This seems likely, especially for embedded platforms where power is a
massive constraint.
> (And, if that's the case, I don
Hi,
On Sonntag, 13. Juli 2014, Thorsten Glaser wrote:
> >Furthermore, we will change the people.debian.org web-service such that
> >only HTTPS connections will be supported (unencrypted requests will be
> >redirected).
> This means that requests from wget (since it switched from OpenSSL to
> GnuTL
On Mon, Jul 14, 2014 at 7:09 AM, Guillem Jover wrote:
> HSTS protects mostly from MITM (except for first connection), but I'm
> not sure if DSA is planning to add it.
HSTS is a standard part of HTTPS setup on machines run by DSA, so it
is very likely they will.
--
bye,
pabs
https://wiki.debian
On Sun, 2014-07-13 at 15:19:22 -0700, Steve Langasek wrote:
> On Sun, Jul 13, 2014 at 10:13:10PM +0200, Martin Zobel-Helas wrote:
> > Furthermore, we will change the people.debian.org web-service such that
> > only HTTPS connections will be supported (unencrypted requests will be
> > redirected).
>
Hi Martin,
On Sun, Jul 13, 2014 at 10:13:10PM +0200, Martin Zobel-Helas wrote:
> Furthermore, we will change the people.debian.org web-service such that
> only HTTPS connections will be supported (unencrypted requests will be
> redirected).
Could you elaborate on why people.d.o will enforce https
* Martin Zobel-Helas , 2014-07-13, 22:13:
The plan is to execute a final sync of home directories on 2014-JUL-26
starting at 0800Z.
http://xkcd.com/1179/
we will change the people.debian.org web-service such that only HTTPS
connections will be supported (unencrypted requests will be
redirect
Martin Zobel-Helas dixit:
>Furthermore, we will change the people.debian.org web-service such that
>only HTTPS connections will be supported (unencrypted requests will be
>redirected).
This means that requests from wget (since it switched from OpenSSL to
GnuTLS) and other utilities from slow arch
86 matches
Mail list logo
