On Thu, Sep 01, 2011 at 12:13:53PM +0200, Philipp Überbacher wrote: > Excerpts from Lukas Fleischer's message of 2011-08-06 12:14:14 +0200: > > On Sat, Aug 06, 2011 at 11:10:48AM +0200, Pierre Schmitz wrote: > > > On Sat, 6 Aug 2011 02:29:13 +0200, Lukas Fleischer wrote: > > > > Agreed. I'm still against completely disabling HTTP. We will use HTTPs > > > > for all links by default so there shouldn't be any users unintentionally > > > > pasting HTTP links anywhere. Malicious links might still be an issue but > > > > observant users should be aware of that. And using secure cookies should > > > > fix that, anyway. > > > > > > I didn't tell to disable HTTP. Of course you add a redirect there and > > > you might even add the HSTS header. It's not only about links, also > > > people will just typoe in "aur.archlinux.org" into their browser bar and > > > that will open http by default. > > > > Well, "Redirect all http traffic to https by default" sounded to me like > > disabling plain HTTP. Perhaps I took this too literally. > > > > > > > > Anyway, I see I am talking to walls here. Sometimes I wonder why there > > > is so much resistance against encryption. One would think it was the > > > other way round. > > > > Again, and I'm not going to repeat this... I am not against enabling > > encryption and I am not against making it the default. All I said is > > that we shouldn't turn down HTTP. > > I sadly followed this discussion only remotely when it was ongoing, so I > have to ask: The agreed upon solution for now is to default to http and > only allow login from https? At least that's how it is at the moment and > the http default feels a bit weird to me. When I can only log in with > https I get the feeling I should use https and wonder why it isn't the > default. I had a look at other parts of the Arch Linux website as well, > here's an overview of the defaults: > > archlinux.org -> http -> no login anyway > bbs.archlinux.org -> https -> separate login page > wiki.archlinux.org -> https -> separate login page > bugs.archlinux.org -> https -> login on main page > aur.archlinux.org -> http -> login on main page > > As you can see, AUR is the fish out of water here, login is on the > arrival page, but you can't log in by default. I'm sorry to make the > suggestion this late, but I'd vote for https as default for AUR.
HTTPs is the default - unless you request the HTTP version explicitly. I know that some of the navigation bar links aren't updated yet. I sent a patch for Flyspray to Pierre, and also asked him to update the header include used in our cgit setup. It should be only a matter of time until all links are up-to-date.
