On Sat, Aug 06, 2011 at 01:16:45AM +0300, Ionut Biru wrote: > On 08/06/2011 12:54 AM, Lukas Fleischer wrote: > > >> > >>To prevent session hijacking, mtm attacks or whatnot I'd recommend the > >>following: > >>* Redirect all http traffic to https by default > > > >We won't do that. HTTPs will be the default but we won't force users to > >use HTTPs. If you decide to use HTTP intentionally, we won't prevent you > >from doing so. HTTPs implies an unnecessary overhead and there's no > >point in forcing everybody to use HTTPs even if one doesn't even have an > >AUR account. > > > > That reason is a bit childish. We had this discussion 1 year ago and > only you and Loui were against. > > Seriously now, why you are against https? Do you use some aur helper > that is broken and uses http and cannot handle redirect well?
Dude, please stick to the facts. Iirc, I didn't even interfere in the last HTTPs discussion and I nowhere mentioned being against HTTPs. I am totally for making HTTPs the default, I'm just against enforcing it. As you can see, I even committed a few patches replacing all links the AUR ever spits out by HTTPs ones. Everything else is only a matter of server configuration and I am against disabling plain HTTP here. Is there any *real* reason to do that? Even archweb doesn't do that and I don't understand the concerns here. Every half-attentive should be perfectly fine with how we do it in current master. And in case you're really, really paranoid, just setup a proxy that blocks HTTP connections to the AUR. Oh, and by the way. I don't use any AUR helper at all. Just to say that.
