Hi,
Right now a number of Gentoo webpages are by default served over http.
There is a growing trend to push more webpages to default to https,
mostly pushed by google. I think this is a good thing and I think
Gentoo should follow.
Right now we seem to have a mix:
* A number of webpages default
Hi,
Hanno Böck wrote:
Right now a number of Gentoo webpages are by default served over http.
There is a growing trend to push more webpages to default to https,
mostly pushed by google. I think this is a good thing and I think
Gentoo should follow.
+1
Right now we seem to have a mix:
* A
TL;DR: Yes!
* Hanno Böck schrieb am 27.03.15 um 15:33 Uhr:
Hi,
Right now a number of Gentoo webpages are by default served over http.
There is a growing trend to push more webpages to default to https,
mostly pushed by google. I think this is a good thing and I think
Gentoo should follow.
On Fri, Mar 27, 2015 at 3:33 PM, Hanno Böck ha...@gentoo.org wrote:
I'd propose the following:
* Make all pages under .gentoo.org https by default
* Make sure all use modern HTTPS features, including:
* OCSP Stapling
* HSTS
* A secure collection of cipher suites
* (one may add HPKP
On Fri, 27 Mar 2015 15:14:02 -0400
Rich Freeman ri...@gentoo.org wrote:
As has been pointed out, this is a moot issue for Gentoo. However,
I'm not aware of anybody who both offers a free certificate and will
let you change your private key if it is compromised free of charge.
I think wosign
On Fri, Mar 27, 2015 at 03:33:15PM +0100, Hanno Böck wrote:
Right now a number of Gentoo webpages are by default served over http.
There is a growing trend to push more webpages to default to https,
mostly pushed by google. I think this is a good thing and I think
Gentoo should follow.
Please
On Fri, Mar 27, 2015 at 04:44:16PM +0100, Marc Schiffbauer wrote:
Certificates are too expensive
Gentoo already has certs for all pages, so this is not an argument
here, but if this ever becomes an issue there are a number of CAs these
days that issue free certs. In summer the community based
On Fri, Mar 27, 2015 at 8:29 PM, Hanno Böck ha...@gentoo.org wrote:
SSLUseStapling is Apache 2.3+ only, and that isn't stable yet.
That's unfortunate, apache 2.2 is pretty outdated when it
comes to tls security.
Please help with the blockers for 2.4 stabilization!
Cheers,
Dirkjan
On Fri, 27 Mar 2015 19:18:24 +
Robin H. Johnson robb...@gentoo.org wrote:
* Some with logins are mixed http/login-via-https, which makes them
vulnerable to ssl-stripping-attacks (e.g. wiki.gentoo.org)
Are you sure about this? Everything on wiki should always redirect to
SSL very
On Fri, Mar 27, 2015 at 11:44 AM, Marc Schiffbauer msch...@gentoo.org wrote:
* Hanno Böck schrieb am 27.03.15 um 15:33 Uhr:
Certificates are too expensive
Gentoo already has certs for all pages, so this is not an argument
here, but if this ever becomes an issue there are a number of CAs
On Fri, Mar 27, 2015 at 06:14:38PM +0100, Thomas D. wrote:
Right now we seem to have a mix:
* A number of webpages default to http and have optional https
(www.gentoo.org)
* Some with sensitive logins are already https by default (e.g.
bugs.gentoo.org), but they don't use hsts, which
On 27 March 2015 at 19:14, Rich Freeman ri...@gentoo.org wrote:
StartSSL in fact refuses to revoke certificates even when people
publish their private keys publicly. If you buy a previously-used
domain you might want to make sure that there isn't a StartSSL
certificate floating around for it
On Fri, Mar 27, 2015 at 09:45:25PM +0100, Pacho Ramos wrote:
El mié, 25-03-2015 a las 21:25 +, Robin H. Johnson escribió:
[...]
- timeout:
this is how long you we suggest you wait for the maintainer/team to
comment on your change.
Format should be a short duration specifier per
El vie, 27-03-2015 a las 21:03 +, Robin H. Johnson escribió:
On Fri, Mar 27, 2015 at 09:45:25PM +0100, Pacho Ramos wrote:
El mié, 25-03-2015 a las 21:25 +, Robin H. Johnson escribió:
[...]
- timeout:
this is how long you we suggest you wait for the maintainer/team to
On Fri, 27 Mar 2015 22:14:04 +0100
Pacho Ramos pa...@gentoo.org wrote:
I would prefer 1M (well... if the developer is not able to even
comment in bug reports in 1 month, maybe he should have at least a
devaway message explaining how to deal with his/her packages if he is
not able to reply so
El mié, 25-03-2015 a las 21:25 +, Robin H. Johnson escribió:
[...]
- timeout:
this is how long you we suggest you wait for the maintainer/team to
comment on your change.
Format should be a short duration specifier per ISO8601
I'd like to default it to 1 week: 'P1W'.
[...]
I would
On 27 March 2015 at 00:51, William Hubbs willi...@gentoo.org wrote:
The other method is shown by dev-vcs/hub at least, and maybe several
other packages -- e.g. unconditionally installing the completions
according to our small files installation practice and not reflecting
the rdepend on
17 matches
Mail list logo