Richard Stallman wrote: > Some people are arguing that we should turn off HTTP on Savannah, > so it should support ONLY HTTPS. I included some of what > they said. > > That seems like a radical demand, and I am skeptical. What do you > think about the issue? Should we actually make Savannah reject HTTP > connections outright?
I am skeptical too. Because there are no absolutes. All generalities are false. Including that one. And also for example would the FSF shutdown anonymous ftp access for ftp.gnu.org too? Anonymous ftp, the anonymous cvs pserver, git server, others, all will be on the chopping block. I fear the pursuit of perfect will injure those not capable of being perfect. In any case the movement toward higher security for the web site is desirable and things are moving that direction as quickly as they can move. However current system is outdated and cannot offer the security features needed of a high security web site. Which is why we are upgrading. The configuration of a high security web site is well understood. We only recently acquired the minimum resources from the FSF to upgrade and are now in the middle of the migration onto the newer system so that such high security can be offered. Before then, as a practical matter it is not possible. Let's talk about this after the upgrade when high security is at least possible. Bob
