Re: [aur-general] Remove request: liferea-svn
On Sat, Oct 30, 2010 at 8:21 AM, Alexander 'hatred' Drozdoff wrote: > Hi guys! > > Liferea project switch to git instead svn. PKGBUILD for git already present > in AUR, so > package liferea-svn[1] can be removed. > > [1] http://aur.archlinux.org/packages.php?ID=13568 Done, thanks.
[aur-general] Remove request: liferea-svn
Hi guys! Liferea project switch to git instead svn. PKGBUILD for git already present in AUR, so package liferea-svn[1] can be removed. [1] http://aur.archlinux.org/packages.php?ID=13568 -- WBR Alexander Drozdov FIDO: 2:5045/41.84 Site: http://hatred.homelinux.net Site: http://archlinux.org.ru
Re: [aur-general] aur website default ssl
I'm glad I sparked a discussion! I however am still on the decidedly non-paranoid side. Yes I know how man in the middle attacks work. Yes I understand it's possible. No I don't think it's likely. Basically because there is no money involved. Take that as naivete or ignorance if you want but I'm not jumping on the bandwagon. Everyone has taken a technical low-level look at the problem but my point of view is a little broader. The AUR security model is so weak as it is. Anyone can upload any package to run arbitrary code on your machine. Just slapping on https as if to say "we're secure now!" doesn't make me feel more secure. If someone wants to mess with me they don't have to hijack my connection they just upload a bad package. Just to be clear I think the freedom of allowing anyone to upload a package is a good thing and worth the security risk. I haven't been bitten by any malicious packages so far though I usually check them. HTTPS is great, feel free to use it. Switching it to mandatory and telling me how much better off I am seems a bit like evangelism. I don't think HTTPS is bad I just think forcing everything to HTTPS is a lazier than fixing the login to use HTTPS. Yes people can sniff my session id to just about any site I visit. Session IDs change. Sniffing a password is much more dangerous. Passwords are personal property. Passwords can be reused... like on other ArchLinux sites. -- -Justin
Re: [aur-general] aur website default ssl
On 2010-10-29 00:32 -0400 (43:5) Loui Chang wrote: > On Thu 28 Oct 2010 18:01 +0300, Ionuț Bîru wrote: > > On 10/28/2010 03:27 AM, Loui Chang wrote: > > >On Wed 27 Oct 2010 14:14 +0200, Pierre Schmitz wrote: > > >>On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru > > >>wrote: > > >>>As i said earlier in a reply to Loui, maybe we can do it > > >>>better.Having https only for login and then redirecting to http is > > >>>like not having it at all. > > >> > > >>Simply using https for all connections is the easiest and best solution > > >>imho. Everything in between is either insecure or inconvenient for the > > >>users. And I also don't see the need for it. Every sane http client > > >>should handle a http redirect and https. If it does not it's just a bug > > >>in the client. Of course it is unfortunate that this wasn't tested by > > >>the clyde author before. > > > > > >I would appreciate if you consult aur-dev before making changes to the > > >AUR. Can you please describe how you made this change, and how we can > > >enable normal http? > > > > seriously, why did you changed it back to http over https? > > > > in less than 1 day all aur helpers are working again and i don't see > > a reason to use http again. Really, what's the point? > > The AUR isn't yours alone to decide how everyone should use it. > That's one reason you should consult aur-dev before making such changes. > > SSL will still work. The point is to allow users to make the choice > whether or not they want to use ssl. > > That choice was impossible the way it was implemented. I think it's great that the AUR uses HTTPS by default (I've given reasons for preferring HTTPS in general on the forum) but I also agree that users should be able to access the site via HTTP if they so choose.
Re: [aur-general] [google-talkplugin] How to build an older version of openssl
On 10/27/2010 09:34 PM, Denis A. Altoé Falqueto wrote: On Wed, Oct 27, 2010 at 3:29 PM, Ionuț Bîru wrote: want to paste your PKGBUILD to look at it? I did, it's in the original mail :) But here it is, to save time: http://pastebin.com/04xsippr. If you change lines 37 and 39, appending linux32 at the start of the lines, it will generate ELF32 libraries. The depends and makedepends arrays are not quite right, but I'll try to run namecap on it when I have some time. sorry for the late reply. I was thinking you used the lib32-openssl as model but my assumption was wrong. lib32-openssl has this for configure: ./Configure linux-elf --prefix=/usr --openssldir=/etc/ssl --libdir=lib32 etc note the linux-elf option. that is important. http://pastebin.com/aUS7MBNH -- Ionuț
