On Thu, 28 Oct 2010 09:56:27 +0200
Pierre Schmitz wrote:
> [...]
>
> In general I think it's a good idea that we now use https for most
> sites and we shouldn't discuss about if that is sane or not but why
> are some clients unable to handle it.
>
This just popped into my feedreader:
http://ut
On Sat, 30 Oct 2010 18:01:19 +0200
Philipp Überbacher wrote:
>
> It's funny that even on this technical list the term hacker is used :)
>
Really? It made me cry. However this whole thread is far beyond the
border of our beloved state of "useful". This was a short determination
between louipc an
Excerpts from Justin Davis's message of 2010-10-30 17:47:59 +0200:
> On Sat, Oct 30, 2010 at 4:42 AM, Philipp Überbacher
> wrote:
> >
> > Often enough, and AUR is an example, it's sufficient to be logged in to
> > change the current password. Knowing the session ID is thus almost
> > equivalent to
On Sat, Oct 30, 2010 at 08:47:59AM -0700, Justin Davis wrote:
> If the password is used in more than one place and sniffed out, then
> not only is the user's AUR account compromised but also other accounts
> on other websites. It is easier to run a sniffing program that are
> already setup to searc
On Sat, Oct 30, 2010 at 4:42 AM, Philipp Überbacher
wrote:
>
> Often enough, and AUR is an example, it's sufficient to be logged in to
> change the current password. Knowing the session ID is thus almost
> equivalent to knowing the password.
>
If the password is used in more than one place and sn
On Sat, Oct 30, 2010 at 02:30:58PM +0200, Philipp Überbacher wrote:
> Now that you say maintainers, I wonder how the system works for TUs,
> since they do upload binary packages. Is there a single sign-on or
> something like this?
We upload packages using devtools and SSH (scp(1)) - the same way t
Excerpts from Smartboy's message of 2010-10-30 14:08:35 +0200:
> On 10/30/2010 04:42 AM, Philipp Überbacher wrote:
> > Excerpts from Justin Davis's message of 2010-10-29 20:25:26 +0200:
> >> I'm glad I sparked a discussion!
> >>
> >> I however am still on the decidedly non-paranoid side. Yes I know
On 10/30/2010 04:42 AM, Philipp Überbacher wrote:
Excerpts from Justin Davis's message of 2010-10-29 20:25:26 +0200:
I'm glad I sparked a discussion!
I however am still on the decidedly non-paranoid side. Yes I know how
man in the middle attacks work. Yes I understand it's possible. No I
don't
Excerpts from Justin Davis's message of 2010-10-29 20:25:26 +0200:
> I'm glad I sparked a discussion!
>
> I however am still on the decidedly non-paranoid side. Yes I know how
> man in the middle attacks work. Yes I understand it's possible. No I
> don't think it's likely. Basically because there
I'm glad I sparked a discussion!
I however am still on the decidedly non-paranoid side. Yes I know how
man in the middle attacks work. Yes I understand it's possible. No I
don't think it's likely. Basically because there is no money involved.
Take that as naivete or ignorance if you want but I'm n
On 2010-10-29 00:32 -0400 (43:5)
Loui Chang wrote:
> On Thu 28 Oct 2010 18:01 +0300, Ionuț Bîru wrote:
> > On 10/28/2010 03:27 AM, Loui Chang wrote:
> > >On Wed 27 Oct 2010 14:14 +0200, Pierre Schmitz wrote:
> > >>On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
> > >>wrote:
> > >>>As i said earlier
On Thu 28 Oct 2010 18:01 +0300, Ionuț Bîru wrote:
> On 10/28/2010 03:27 AM, Loui Chang wrote:
> >On Wed 27 Oct 2010 14:14 +0200, Pierre Schmitz wrote:
> >>On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
> >>wrote:
> >>>As i said earlier in a reply to Loui, maybe we can do it
> >>>better.Having https
On 10/28/2010 03:27 AM, Loui Chang wrote:
On Wed 27 Oct 2010 14:14 +0200, Pierre Schmitz wrote:
On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
wrote:
As i said earlier in a reply to Loui, maybe we can do it
better.Having https only for login and then redirecting to http is
like not having it at
On 10/28/2010 08:59 AM, Justin Davis wrote:
On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz wrote:
On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
wrote:
As i said earlier in a reply to Loui, maybe we can do it
better.Having https only for login and then redirecting to http is
like not having i
On Thu, 28 Oct 2010 15:42:31 +0800, Gergely Imreh
wrote:
> On 28 October 2010 14:59, Justin Davis wrote:
>> On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz wrote:
>>> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
>>> wrote:
>>
As i said earlier in a reply to Loui, maybe we can do it
On Thu, 28 Oct 2010 03:13:42 -0400, Kaiting Chen
wrote:
>> Pierre,
>> How is sending publicly available information unencrypted insecure? It
>> does not warrant a need for additional security in the first place. If
>> someone wants to see what comments you post on a package they go look
>> at the
On Thu, 28 Oct 2010 15:42:31 +0800, Gergely Imreh
wrote:
> On 28 October 2010 14:59, Justin Davis wrote:
>> Pierre,
>> How is sending publicly available information unencrypted insecure? It
>> does not warrant a need for additional security in the first place. If
>> someone wants to see what comm
On 28 October 2010 14:59, Justin Davis wrote:
> On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz wrote:
>> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
>> wrote:
>
>>> As i said earlier in a reply to Loui, maybe we can do it
>>> better.Having https only for login and then redirecting to http is
On 10/28/10 02:59, Justin Davis wrote:
Pierre,
How is sending publicly available information unencrypted insecure?
Some (weak) arguments:
1. net infrastructure in between me and Arch-server can see which
specific pages on aur.archlinux.org that I'm loading. And even change
data such as PKGB
>
> Ionut,
> This is a ridiculous claim. Maybe we should tell that to amazon,
> newegg, and oh I don't know... 99% of websites on the planet? Most
> sites use https only for logins and transactions. Publicly available
> information like aur comments, aur packages, images, etc don't really
> need en
On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz wrote:
> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
> wrote:
>> As i said earlier in a reply to Loui, maybe we can do it
>> better.Having https only for login and then redirecting to http is
>> like not having it at all.
Ionut,
This is a ridic
On Wed 27 Oct 2010 14:14 +0200, Pierre Schmitz wrote:
> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
> wrote:
> > As i said earlier in a reply to Loui, maybe we can do it
> > better.Having https only for login and then redirecting to http is
> > like not having it at all.
>
> Simply using https
On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru
wrote:
> As i said earlier in a reply to Loui, maybe we can do it
> better.Having https only for login and then redirecting to http is
> like not having it at all.
Simply using https for all connections is the easiest and best solution
imho. Everythi
On 10/27/2010 05:49 AM, Justin Davis wrote:
On Tue, Oct 26, 2010 at 1:50 PM, Ionuț Bîru wrote:
Hi,
we are now using default https for aur.archlinux.org. Some aur helpers may
need adjustment, others like cower/slurpy already works as expected.
Kudos for their maintainers for following the aur
On 10/27/2010 03:44 AM, Loui Chang wrote:
On Tue 26 Oct 2010 23:50 +0300, Ionuț Bîru wrote:
we are now using default https for aur.archlinux.org. Some aur
helpers may need adjustment, others like cower/slurpy already works
as expected.
Kudos for their maintainers for following the aur developme
On Tue, Oct 26, 2010 at 1:50 PM, Ionuț Bîru wrote:
> Hi,
>
> we are now using default https for aur.archlinux.org. Some aur helpers may
> need adjustment, others like cower/slurpy already works as expected.
>
> Kudos for their maintainers for following the aur development
Hi I maintain clyde late
On Tue 26 Oct 2010 23:50 +0300, Ionuț Bîru wrote:
> we are now using default https for aur.archlinux.org. Some aur
> helpers may need adjustment, others like cower/slurpy already works
> as expected.
>
> Kudos for their maintainers for following the aur development
Hmm. How did you go about doing
27 matches
Mail list logo