Re: [PATCH for v5.9] netfilter: Replace HTTP links with HTTPS ones

2020-07-24 Thread Pablo Neira Ayuso 
On Sun, Jul 19, 2020 at 01:52:02PM +0200, Alexander A. Klimov wrote:
> Rationale:
> Reduces attack surface on kernel devs opening the links for MITM
> as HTTPS traffic is much harder to manipulate.

LGTM.

Can you squash this patch into this?

netfilter: xtables: Replace HTTP links with HTTPS ones

Probably better if this can be done for the entire netfilter tree in
one single patch.

Thanks.

[PATCH for v5.9] netfilter: Replace HTTP links with HTTPS ones

2020-07-19 Thread Alexander A. Klimov 
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.

Deterministic algorithm:
For each file:
  If not .svg:
For each line:
  If doesn't contain `\bxmlns\b`:
For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
  If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
If both the HTTP and HTTPS versions
return 200 OK and serve the same content:
  Replace HTTP with HTTPS.

Signed-off-by: Alexander A. Klimov 
---
 Continuing my work started at 93431e0607e5.
 See also: git log --oneline '--author=Alexander A. Klimov 
' v5.7..master
 (Actually letting a shell for loop submit all this stuff for me.)

 If there are any URLs to be removed completely
 or at least not (just) HTTPSified:
 Just clearly say so and I'll *undo my change*.
 See also: https://lkml.org/lkml/2020/6/27/64

 If there are any valid, but yet not changed URLs:
 See: https://lkml.org/lkml/2020/6/26/837

 If you apply the patch, please let me know.

 Sorry again to all maintainers who complained about subject lines.
 Now I realized that you want an actually perfect prefixes,
 not just subsystem ones.
 I tried my best...
 And yes, *I could* (at least half-)automate it.
 Impossible is nothing! :)


 include/uapi/linux/netfilter/xt_connmark.h | 2 +-
 net/decnet/netfilter/dn_rtmsg.c| 2 +-
 net/netfilter/Kconfig  | 2 +-
 net/netfilter/nfnetlink_acct.c | 2 +-
 net/netfilter/nft_set_pipapo.c | 4 ++--
 net/netfilter/xt_connmark.c| 2 +-
 net/netfilter/xt_nfacct.c  | 2 +-
 net/netfilter/xt_time.c| 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/include/uapi/linux/netfilter/xt_connmark.h 
b/include/uapi/linux/netfilter/xt_connmark.h
index 1aa5c955ee1e..f01c19b83a2b 100644
--- a/include/uapi/linux/netfilter/xt_connmark.h
+++ b/include/uapi/linux/netfilter/xt_connmark.h
@@ -4,7 +4,7 @@
 
 #include 
 
-/* Copyright (C) 2002,2004 MARA Systems AB 
+/* Copyright (C) 2002,2004 MARA Systems AB 
  * by Henrik Nordstrom 
  *
  * This program is free software; you can redistribute it and/or modify
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index dc705769acc9..26a9193df783 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -6,7 +6,7 @@
  *
  *  DECnet Routing Message Grabulator
  *
- *  (C) 2000 ChyGwyn Limited  -  http://www.chygwyn.com/
+ *  (C) 2000 ChyGwyn Limited  -  https://www.chygwyn.com/
  *
  * Author:  Steven Whitehouse 
  */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0ffe2b8723c4..25313c29d799 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -447,7 +447,7 @@ config NF_TABLES
  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
  provides a pseudo-state machine with an extensible instruction-set
  (also known as expressions) that the userspace 'nft' utility
- (http://www.netfilter.org/projects/nftables) uses to build the
+ (https://www.netfilter.org/projects/nftables) uses to build the
  rule-set. It also comes with the generic set infrastructure that
  allows you to construct mappings between matchings and actions
  for performance lookups.
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 5827117f2635..5bfec829c12f 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * (C) 2011 Pablo Neira Ayuso 
- * (C) 2011 Intra2net AG 
+ * (C) 2011 Intra2net AG 
  */
 #include 
 #include 
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 8c04388296b0..78070aa65f62 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -312,7 +312,7 @@
  *  Jay Ligatti, Josh Kuhn, and Chris Gage.
  *  Proceedings of the IEEE International Conference on Computer
  *  Communication Networks (ICCCN), August 2010.
- *  http://www.cse.usf.edu/~ligatti/papers/grouper-conf.pdf
+ *  https://www.cse.usf.edu/~ligatti/papers/grouper-conf.pdf
  *
  * [Rottenstreich 2010]
  *  Worst-Case TCAM Rule Expansion
@@ -325,7 +325,7 @@
  *  Kirill Kogan, Sergey Nikolenko, Ori Rottenstreich, William Culhane,
  *  and Patrick Eugster.
  *  Proceedings of the 2014 ACM conference on SIGCOMM, August 2014.
- *  
http://www.sigcomm.org/sites/default/files/ccr/papers/2014/August/2619239-2626294.pdf
+ *  
https://www.sigcomm.org/sites/default/files/ccr/papers/2014/August/2619239-2626294.pdf
  */
 
 #include 
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index