GNU bug report logs - #37348
Force https redirect missing from ci, workflow and workflows guix.info sub-domains

Previous Next

Full log

Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 37348 <at> debbugs.gnu.org, bug-guix <at> gnu.org
Subject: Re: bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by
 default.
Date: Wed, 03 Nov 2021 02:06:31 +0100

[Message part 1 (text/plain, inline)]

Damn,

Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道：
> This is a conservative patch: it only redirects guix.gnu.org and
> issues.guix.gnu.org, the most (potential-)user-facing sites, to 
> HTTPS.
>
> CI should probably remain reachable over HTTP indefinitely.
>
> Subprojects like GWL, friends like Bootstrappable, and anything 
> else
> retain ‘user choice’, until they opt in.

The current situation is actually more horked than that:

 ~ λ curl -LI https://gnu.org
 HTTP/1.1 301 Moved Permanently
 […]
 Strict-Transport-Security: max-age=63072000; includeSubDomains; 
 preload

This is a great security policy!  It also announces to the modern 
world that *all* HTTP connections to *any* subdomain of gnu.org 
should be silently upgraded to HTTPS.

If your UA honours this header and has ever visited gnu.org, 
visiting http://ci.guix.gnu.org should not be possible.  It will 
immediately upgrade to HTTPS.  Certificate errors can no longer be 
bypassed.  guix.gnu.org cannot relax this policy.

Now, for some reason, current Firefox doesn't seem to do any of 
this (compatibility?) but it may only be a matter of time.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.