From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id U28fMWnigWHHiAAAgWs5BA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 03 Nov 2021 02:14:17 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id 0NwNLGnigWHySgAAbx9fmQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 03 Nov 2021 01:14:17 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 6293F2F935
	for <larch@yhetil.org>; Wed,  3 Nov 2021 02:14:17 +0100 (CET)
Received: from localhost ([::1]:48606 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1mi4r2-0003bG-Hv
	for larch@yhetil.org; Tue, 02 Nov 2021 21:14:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:45140)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1mi4qo-0003ZL-NJ
 for bug-guix@gnu.org; Tue, 02 Nov 2021 21:14:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:55100)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1mi4qo-0004B8-E4
 for bug-guix@gnu.org; Tue, 02 Nov 2021 21:14:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1mi4qo-0001D4-4T
 for bug-guix@gnu.org; Tue, 02 Nov 2021 21:14:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default.
Resent-From: Tobias Geerinckx-Rice <me@tobias.gr>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Wed, 03 Nov 2021 01:14:02 +0000
Resent-Message-ID: <handler.37348.B.16359020174613@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 37348
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
Cc: 37348@debbugs.gnu.org
X-Debbugs-Original-Cc: 37348@debbugs.gnu.org, bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.16359020174613
 (code B ref -1); Wed, 03 Nov 2021 01:14:02 +0000
Received: (at submit) by debbugs.gnu.org; 3 Nov 2021 01:13:37 +0000
Received: from localhost ([127.0.0.1]:38413 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1mi4qP-0001CL-KK
 for submit@debbugs.gnu.org; Tue, 02 Nov 2021 21:13:37 -0400
Received: from lists.gnu.org ([209.51.188.17]:49646)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1mi4qO-0001CD-72
 for submit@debbugs.gnu.org; Tue, 02 Nov 2021 21:13:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:45032)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1mi4qO-0003Bd-2y
 for bug-guix@gnu.org; Tue, 02 Nov 2021 21:13:36 -0400
Received: from tobias.gr ([2a02:c205:2020:6054::1]:41946)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@tobias.gr>) id 1mi4qL-00047F-S3
 for bug-guix@gnu.org; Tue, 02 Nov 2021 21:13:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=1VPYgUt5l891o
 LuDVYnRMMa4X8/kIDFeftW4ZM7BJR0=;
 h=in-reply-to:date:subject:cc:from:
 references; d=tobias.gr; b=birwZpwrgXirxm9BQSxZ9l1LgbcALcDq+wd+7sAG1db
 APJ1rnd+QXZP26aVNv+v1agMt6zF2CZrxt0ZkzmAQ2gdNYnW2npePJ5vXcU+yIzGKAtB/Q
 dpWDBCq1trS/L1Vc+M1s5M9y5oWY623UBfoH69CKFKEXyLFg6uh3/4KWfP7y7oQXh+b6Nn
 nipdgZaqSVhKZ0MXhUbiG3D7dsX3xbI4OzOslqi/vGjqgziQvt0cLWcSWvs0W4KiXMg7wM
 5Gbru7I9pQH7Ju7u7ZEZeCUdoJqm2JFN/uw6tsZBTtf3Dcd5VmY/XthXMyKFAh41mDXAh1
 ovbRKd7kvfNmvrf0qrw==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 185b14e4
 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); 
 Wed, 3 Nov 2021 01:13:28 +0000 (UTC)
References: <8736h643ke.fsf@rekahsoft.ca> <20211102160950.20467-1-me@tobias.gr>
Date: Wed, 03 Nov 2021 02:06:31 +0100
In-reply-to: <20211102160950.20467-1-me@tobias.gr>
BIMI-Selector: v=BIMI1; s=default;
Message-ID: <87ilxam46w.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr;
 helo=tobias.gr
X-Spam_score_int: -10
X-Spam_score: -1.1
X-Spam_bar: -
X-Spam_report: (-1.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MISSING_HEADERS=1.021,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
Reply-to:  Tobias Geerinckx-Rice <me@tobias.gr>
From:  Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1635902057;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:in-reply-to:in-reply-to:references:references:
	 list-id:list-help:list-unsubscribe:list-subscribe:list-post:
	 dkim-signature; bh=1VPYgUt5l891oLuDVYnRMMa4X8/kIDFeftW4ZM7BJR0=;
	b=hUMMn5JaFr2voSI3GwK8kGcW4Q+ZvNGq+Gwhs3CoUivZwe64vArZ91UMxKbIUm7IvWF9cZ
	PJG8msQjeLPgQd/DvkgZGkXsU2/4eipmrA0iF3HcRx77+Zi2I7+nqpQZjMOz2uoLJbqMbW
	0ycpGeyCi22v02nrhN04igpnBDN/D6modMy9qxKOobRMVuK4zUmSpZQV7dAuLRAFBorSOF
	T15ZTHocrca/CDjwlP0eqB2YtS36H0CZ6Pz2aP6DahnP9ETT9k6NEcwBLEGaCzSXGn0ezV
	rlW2rYj66uxsLOVHUtkAMqXinvhQ/6eCZeeJkZQwLn9MljofHYctPbrEvIzkZA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635902057; a=rsa-sha256; cv=none;
	b=JFM03fungYbFtWgHg9HARvRwJlc3tyv2BB651kfLdzuNiG4gSgEubNkFsuWc8uIzENoDEL
	Zju//z6d23D2IzynMhvD6g+bhZo6jU5LbFXwNPvD40W399ieI/vtaTz4nFAi/EZHPOGs+3
	YdlpS8+sw4dhUz4/Khj1ydkSR0brH3U1CKmbABG326CR4zZhr6mZ67X9Qb3PXkW8EEBHMD
	TWOrrrRe5BZF8XPl5SLVQNF0s8inyYTWABYhpZ1Fxj/0N7OS7lKvG/6tJFIk4w2+Eblkue
	LOncqwn4RN2yChj4PdDEMkwAQoCo4RDD05u7/Bcxa7nWLzp5NCSHC3yyCqy4aQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=birwZpwr;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -2.52
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=birwZpwr;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: 6293F2F935
X-Spam-Score: -2.52
X-Migadu-Scanner: scn0.migadu.com
X-TUID: NM8R/4RgjD9F

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Damn,

Tobias Geerinckx-Rice via Bug reports for GNU Guix =E5=86=99=E9=81=93=EF=BC=
=9A
> This is a conservative patch: it only redirects guix.gnu.org and
> issues.guix.gnu.org, the most (potential-)user-facing sites, to=20
> HTTPS.
>
> CI should probably remain reachable over HTTP indefinitely.
>
> Subprojects like GWL, friends like Bootstrappable, and anything=20
> else
> retain =E2=80=98user choice=E2=80=99, until they opt in.

The current situation is actually more horked than that:

  ~ =CE=BB curl -LI https://gnu.org
  HTTP/1.1 301 Moved Permanently
  [=E2=80=A6]
  Strict-Transport-Security: max-age=3D63072000; includeSubDomains;=20
  preload

This is a great security policy!  It also announces to the modern=20
world that *all* HTTP connections to *any* subdomain of gnu.org=20
should be silently upgraded to HTTPS.

If your UA honours this header and has ever visited gnu.org,=20
visiting http://ci.guix.gnu.org should not be possible.  It will=20
immediately upgrade to HTTPS.  Certificate errors can no longer be=20
bypassed.  guix.gnu.org cannot relax this policy.

Now, for some reason, current Firefox doesn't seem to do any of=20
this (compatibility?) but it may only be a matter of time.

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYYHiRw0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW156/MA/jGe0pPAhCnUM7ru93JFTLnId7eqRuibxLP38gho
gSizAP9vcvv3TM2FgzT+a7ja326Kec1dR6PxfKVE+7A0RlD0Bw==
=0ZQL
-----END PGP SIGNATURE-----
--=-=-=--