[racket-users] Re: HTTPS for Racket web sites and packages
Can you change also the snapshots in utah.edu to access to the catalog with https? The server supports https. On 09/01/16 04:54, Matthew Flatt wrote: Sam, Ryan, I, and others have been moving Racket services to HTTPS: https://racket-lang.org/ We're changing all references to use HTTPS, so if you go to "http://racket-lang.org; (no "s"), the "Download" link takes you to "https://download.racket-lang.org/;. The default download button on that page similarly points to "https://mirror.racket-lang.org/;. We have not yet started enforcing HTTPS on any of our pages, either through a redirect from "http://; to "https://; or through HSTS. We want to gain more confidence in our setup before taking that step. Packages and catalog: You can set "https://pkgs.racket-lang.org/; as your package catalog, and we've made that the default for the next release. Beware, however, that `raco pkg` in v6.3 and earlier does not actually make a secure connection for HTTPS references (because it doesn't validate the server's certificate); we've fixed that for the next release. With the development version of Racket, if you want to use an insecure HTTPS reference for some reason with `raco pkg` (e.g., to a server with a self-signed certificate), set the `PLT_PKG_SSL_NO_VERIFY` environment variable. General security note: Except for "https://mirror.racket-lang.org;, HTTPS content is provided via CloudFlare from an HTTP (not HTTPS) access of S3. So, you can only trust the content of "https://pkgs.racket-lang.org; to the degree that you trust Amazon, CloudFlare, and the channel between them to provide the data that we put on S3. We may eventually strengthen the channel between our data (especially package metadata) and HTTPS services, but we're not working on that right now. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [racket-users] Re: HTTPS for Racket web sites and packages
The snapshots from Utah should be configured that way already, at least in the most recent snapshots (6.3.0.14). Were you looking at an older build? If not, can you say more about where you're seeing non-HTTPS URLs? At Sun, 10 Jan 2016 00:45:52 +0100, Juan Francisco Cantero Hurtado wrote: > Can you change also the snapshots in utah.edu to access to the catalog > with https? The server supports https. > > On 09/01/16 04:54, Matthew Flatt wrote: > > Sam, Ryan, I, and others have been moving Racket services to HTTPS: > > > >https://racket-lang.org/ > > > > We're changing all references to use HTTPS, so if you go to > > "http://racket-lang.org; (no "s"), the "Download" link takes you to > > "https://download.racket-lang.org/;. The default download button on > > that page similarly points to "https://mirror.racket-lang.org/;. > > > > We have not yet started enforcing HTTPS on any of our pages, either > > through a redirect from "http://; to "https://; or through HSTS. We > > want to gain more confidence in our setup before taking that step. > > > > > > Packages and catalog: > > > > You can set "https://pkgs.racket-lang.org/; as your package catalog, > > and we've made that the default for the next release. Beware, however, > > that `raco pkg` in v6.3 and earlier does not actually make a secure > > connection for HTTPS references (because it doesn't validate the > > server's certificate); we've fixed that for the next release. > > > > With the development version of Racket, if you want to use an insecure > > HTTPS reference for some reason with `raco pkg` (e.g., to a server with > > a self-signed certificate), set the `PLT_PKG_SSL_NO_VERIFY` environment > > variable. > > > > > > General security note: > > > > Except for "https://mirror.racket-lang.org;, HTTPS content is provided > > via CloudFlare from an HTTP (not HTTPS) access of S3. So, you can only > > trust the content of "https://pkgs.racket-lang.org; to the degree that > > you trust Amazon, CloudFlare, and the channel between them to provide > > the data that we put on S3. We may eventually strengthen the channel > > between our data (especially package metadata) and HTTPS services, but > > we're not working on that right now. > > > > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [racket-users] Re: HTTPS for Racket web sites and packages
Yes, I was testing 6.3.0.13. Sorry for the noise. On sábado, 9 de enero de 2016 17:39:02 (CET) Matthew Flatt wrote: >The snapshots from Utah should be configured that way already, at least >in the most recent snapshots (6.3.0.14). Were you looking at an older >build? If not, can you say more about where you're seeing non-HTTPS >URLs? > >At Sun, 10 Jan 2016 00:45:52 +0100, Juan Francisco Cantero Hurtado wrote: >> Can you change also the snapshots in utah.edu to access to the >> catalog >> with https? The server supports https. >> >> On 09/01/16 04:54, Matthew Flatt wrote: >> > Sam, Ryan, I, and others have been moving Racket services to HTTPS: >> >https://racket-lang.org/ >> > >> > We're changing all references to use HTTPS, so if you go to >> > "http://racket-lang.org; (no "s"), the "Download" link takes you to >> > "https://download.racket-lang.org/;. The default download button on >> > that page similarly points to "https://mirror.racket-lang.org/;. >> > >> > We have not yet started enforcing HTTPS on any of our pages, either >> > through a redirect from "http://; to "https://; or through HSTS. We >> > want to gain more confidence in our setup before taking that step. >> > >> > >> > Packages and catalog: >> > >> > You can set "https://pkgs.racket-lang.org/; as your package >> > catalog, >> > and we've made that the default for the next release. Beware, >> > however, >> > that `raco pkg` in v6.3 and earlier does not actually make a secure >> > connection for HTTPS references (because it doesn't validate the >> > server's certificate); we've fixed that for the next release. >> > >> > With the development version of Racket, if you want to use an >> > insecure >> > HTTPS reference for some reason with `raco pkg` (e.g., to a server >> > with a self-signed certificate), set the `PLT_PKG_SSL_NO_VERIFY` >> > environment variable. >> > >> > >> > General security note: >> > >> > Except for "https://mirror.racket-lang.org;, HTTPS content is >> > provided >> > via CloudFlare from an HTTP (not HTTPS) access of S3. So, you can >> > only >> > trust the content of "https://pkgs.racket-lang.org; to the degree >> > that >> > you trust Amazon, CloudFlare, and the channel between them to >> > provide >> > the data that we put on S3. We may eventually strengthen the >> > channel >> > between our data (especially package metadata) and HTTPS services, >> > but >> > we're not working on that right now. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.