Gavin Panella wrote: > On Tue, 14 Apr 2009 13:39:33 -0700 > Monty Taylor <monty@xxxxxxxxxxxx> wrote: > >> Karl Fogel wrote: >>> Lukasz Szybalski <szybalski@xxxxxxxxx> writes: >>>> Hello, >>>> Could you guys elaborate on why every page on launchpad.net is only >>>> accessible via https? >>> Security -- that is, protection from impersonation. We don't want to >>> send passwords or user-specific cookies over plaintext http://, because >>> that might make it possible for someone to impersonate a user, change >>> that user's personal data, or view to data that only that user should >>> have access to. >> Agree. But, as another for instance, having download tarballs only >> accessible via https makes it a bit harder for places where you're >> grabbing those via wget or the like (you have to pass the >> ignore-invald-cert option) > > Hi Monty, > > That's interesting! I use wget for downloading stuff all over the > place and I'd hate to have to use --ignore-invalid-cert all the > time. I don't download much from Launchpad though so I haven't seen > this problem yet; I mostly get at project code with bzr or via a PPA. > > In any case, I would think that Launchpad only publishes resources, > including tarballs, using valid certs. > > Can you give me some example URLs where you're seeing this problem? https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz ... -bash-3.00$ wget https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz --2009-04-14 23:42:30-- https://edge.launchpad.net/drizzle/trunk/ongoing/+download/drizzle-2009.04.973.tar.gz Resolving edge.launchpad.net... 91.189.90.244 Connecting to edge.launchpad.net|91.189.90.244|:443... connected. ERROR: cannot verify edge.launchpad.net's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287': Unable to locally verify the issuer's authority. To connect to edge.launchpad.net insecurely, use `--no-check-certificate'. Unable to establish SSL connection. > If they work without warning in Firefox and/or another browser, but > fail with wget, it might just be that wget does not recognise a few > certificate providers, or a specific one, in which case one of us > should file a bug against wget in Ubuntu to ask that it recognise > Launchpad's certificates. > > https://bugs.edge.launchpad.net/ubuntu/+source/wget/+filebug Problem is (as in this case) sometimes you are publishing your stuff for a wider audience. In this case, that's a Solaris host failing to download. I have to support solaris, my boss won't let me not. HOWEVER !!!! I just noticed that the tarball download links have magically become http links. WOOT. Thanks to whoever did this, whenever they did it. Monty
This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.
(Formatted by MHonArc.)