launchpad-users team mailing list archive

[Gavin Panella <gavin.panella@xxxxxxxxxxxxx>]

On Tue, 14 Apr 2009 13:39:33 -0700
Monty Taylor <monty@xxxxxxxxxxxx> wrote:

> Karl Fogel wrote:
> > Lukasz Szybalski <szybalski@xxxxxxxxx> writes:
> >> Hello,
> >> Could you guys elaborate on why every page on launchpad.net is only
> >> accessible via https?
> > 
> > Security -- that is, protection from impersonation.  We don't want to
> > send passwords or user-specific cookies over plaintext http://, because
> > that might make it possible for someone to impersonate a user, change
> > that user's personal data, or view to data that only that user should
> > have access to.
> 
> Agree. But, as another for instance, having download tarballs only
> accessible via https makes it a bit harder for places where you're
> grabbing those via wget or the like (you have to pass the
> ignore-invald-cert option)

Hi Monty,

That's interesting! I use wget for downloading stuff all over the
place and I'd hate to have to use --ignore-invalid-cert all the
time. I don't download much from Launchpad though so I haven't seen
this problem yet; I mostly get at project code with bzr or via a PPA.

In any case, I would think that Launchpad only publishes resources,
including tarballs, using valid certs.

Can you give me some example URLs where you're seeing this problem?

If they work without warning in Firefox and/or another browser, but
fail with wget, it might just be that wget does not recognise a few
certificate providers, or a specific one, in which case one of us
should file a bug against wget in Ubuntu to ask that it recognise
Launchpad's certificates.

  https://bugs.edge.launchpad.net/ubuntu/+source/wget/+filebug

Gavin.