← Back to team overview

launchpad-users team mailing list archive

Re: https ? why?


On Wed, Apr 15, 2009 at 8:46 AM, Lukasz Szybalski <szybalski@xxxxxxxxx> wrote:
> On Tue, Apr 14, 2009 at 3:48 PM, Karl Fogel <karl.fogel@xxxxxxxxxxxxx> wrote:
>> Monty Taylor <monty@xxxxxxxxxxxx> writes:
>>> Agree. But, as another for instance, having download tarballs only
>>> accessible via https makes it a bit harder for places where you're
>>> grabbing those via wget or the like (you have to pass the
>>> ignore-invald-cert option)
>> Yup (plus John Pyper's points in an earlier mail).
>> I can't promise that this will change anytime soon, since our releases
>> are planned out for a while in advance -- but it would help to have a
>> bug to track this issue at least.  Lukasz, would you be willing to file
>> a bug about this (I searched for one and couldn't find any), and make
>> sure the bug points back to this thread, which is
>>  https://lists.launchpad.net/launchpad-users/threads.html#04962
> The primary reason I'm raising this issues is speed of launchpad.net.
> When I browse other packages, view their source code, check out the
> revision history, view the bugs, check out the blueprints I don't need
> it to be secured over https. http is good enough.
> For each new project on launchpad there is 1 developer (he needs
> https) and potentially 20 users that want to download the
> software.(numbers might very) So 5% of launchpad users at least
> require https, while everybody else (95%) needs http because they want
> their information fast. I think the trade off between speed vs
> security is seen here.
> So lets get to the point. You mentioned that setting it up so that
> https is used only if users is logged is a bit tricky vs implementing
> https for all was immediate?  I would think this shouldn't be that
> hard(maybe 2-3 days) so I guess maybe we should start talking how
> should it be setup/ vs what needs to be done?
> Is the "logged in user" pages separated enough so that they can be
> accessible only through https(redirected to https based on url) or ?