infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (Jira)" <>
Subject [jira] [Commented] (INFRA-16753) Project websites are still accessible via http
Date Mon, 30 Sep 2019 20:23:00 GMT


Christopher Tubbs commented on INFRA-16753:

Projects can very easily do this themselves (until it is required, anyway), by creating a
proper {{.htaccess}} file, as in

> Project websites are still accessible via http
> ----------------------------------------------
>                 Key: INFRA-16753
>                 URL:
>             Project: Infrastructure
>          Issue Type: Planned Work
>          Components: Website
>            Reporter: Joan Touzet
>            Priority: Minor
> In a long and protracted discussion with the moderator of, we were
reminded that:
> "All links to checksums, detached signatures and public keys MUST reference
using https:// (TLS)."
> However, there is no point in these links being https unless the websites are forcibly
redirected from http -> https.
> The current Infra setup allows URLs such as:
> which are not forcibly redirected to the https (TLS) version. This makes the https://
links in the project download page untrustable, as they could be altered in transit.
> It's 2018, and every browser (even the lowly w3m) has TLS compatibility. Please forcibly
redirect all project and foundation websites to https:// versions from http:// versions. You
might want to go so far as to submit for HSTS preload, as there is no reason we
wouldn't want to do so:
> The moderator of with whom I interacted (who has chosen so far to
remain nameless) agreed that this is a good idea, and that I should take it up with Infra.

This message was sent by Atlassian Jira

View raw message