launchpad-users team mailing list archive

[Lukasz Szybalski <szybalski@xxxxxxxxx>]

On Tue, Apr 14, 2009 at 3:48 PM, Karl Fogel <karl.fogel@xxxxxxxxxxxxx> wrote:
> Monty Taylor <monty@xxxxxxxxxxxx> writes:
>> Agree. But, as another for instance, having download tarballs only
>> accessible via https makes it a bit harder for places where you're
>> grabbing those via wget or the like (you have to pass the
>> ignore-invald-cert option)
>
> Yup (plus John Pyper's points in an earlier mail).
>
> I can't promise that this will change anytime soon, since our releases
> are planned out for a while in advance -- but it would help to have a
> bug to track this issue at least.  Lukasz, would you be willing to file
> a bug about this (I searched for one and couldn't find any), and make
> sure the bug points back to this thread, which is
>
>  https://lists.launchpad.net/launchpad-users/threads.html#04962
>


The primary reason I'm raising this issues is speed of launchpad.net.
When I browse other packages, view their source code, check out the
revision history, view the bugs, check out the blueprints I don't need
it to be secured over https. http is good enough.

For each new project on launchpad there is 1 developer (he needs
https) and potentially 20 users that want to download the
software.(numbers might very) So 5% of launchpad users at least
require https, while everybody else (95%) needs http because they want
their information fast. I think the trade off between speed vs
security is seen here.

So lets get to the point. You mentioned that setting it up so that
https is used only if users is logged is a bit tricky vs implementing
https for all was immediate?  I would think this shouldn't be that
hard(maybe 2-3 days) so I guess maybe we should start talking how
should it be setup/ vs what needs to be done?

Is the "logged in user" pages separated enough so that they can be
accessible only through https(redirected to https based on url) or ?


Thank you,
Lucas