infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joan Touzet (JIRA)" <>
Subject [jira] [Created] (INFRA-16753) Project websites are still accessible via http
Date Thu, 12 Jul 2018 03:30:00 GMT
Joan Touzet created INFRA-16753:

             Summary: Project websites are still accessible via http
                 Key: INFRA-16753
             Project: Infrastructure
          Issue Type: Task
          Components: Website
            Reporter: Joan Touzet

In a long and protracted discussion with the moderator of, we were reminded

"All links to checksums, detached signatures and public keys MUST reference
using https:// (TLS)."

However, there is no point in these links being https unless the websites are forcibly redirected
from http -> https.

The current Infra setup allows URLs such as:

which are not forcibly redirected to the https (TLS) version. This makes the https:// links
in the project download page untrustable, as they could be altered in transit.

It's 2018, and every browser (even the lowly w3m) has TLS compatibility. Please forcibly redirect
all project and foundation websites to https:// versions from http:// versions. You might
want to go so far as to submit for HSTS preload, as there is no reason we wouldn't
want to do so:

The moderator of with whom I interacted (who has chosen so far to remain
nameless) agreed that this is a good idea, and that I should take it up with Infra.

This message was sent by Atlassian JIRA

View raw message