From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id U28fMWnigWHHiAAAgWs5BA (envelope-from ) for ; Wed, 03 Nov 2021 02:14:17 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 0NwNLGnigWHySgAAbx9fmQ (envelope-from ) for ; Wed, 03 Nov 2021 01:14:17 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6293F2F935 for ; Wed, 3 Nov 2021 02:14:17 +0100 (CET) Received: from localhost ([::1]:48606 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mi4r2-0003bG-Hv for larch@yhetil.org; Tue, 02 Nov 2021 21:14:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45140) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mi4qo-0003ZL-NJ for bug-guix@gnu.org; Tue, 02 Nov 2021 21:14:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55100) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mi4qo-0004B8-E4 for bug-guix@gnu.org; Tue, 02 Nov 2021 21:14:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mi4qo-0001D4-4T for bug-guix@gnu.org; Tue, 02 Nov 2021 21:14:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#37348: [PATCH] hydra: berlin: Redirect HTTP to HTTPS by default. Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 03 Nov 2021 01:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37348 X-GNU-PR-Package: guix X-GNU-PR-Keywords: Cc: 37348@debbugs.gnu.org X-Debbugs-Original-Cc: 37348@debbugs.gnu.org, bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16359020174613 (code B ref -1); Wed, 03 Nov 2021 01:14:02 +0000 Received: (at submit) by debbugs.gnu.org; 3 Nov 2021 01:13:37 +0000 Received: from localhost ([127.0.0.1]:38413 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mi4qP-0001CL-KK for submit@debbugs.gnu.org; Tue, 02 Nov 2021 21:13:37 -0400 Received: from lists.gnu.org ([209.51.188.17]:49646) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mi4qO-0001CD-72 for submit@debbugs.gnu.org; Tue, 02 Nov 2021 21:13:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45032) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mi4qO-0003Bd-2y for bug-guix@gnu.org; Tue, 02 Nov 2021 21:13:36 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:41946) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mi4qL-00047F-S3 for bug-guix@gnu.org; Tue, 02 Nov 2021 21:13:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=1VPYgUt5l891o LuDVYnRMMa4X8/kIDFeftW4ZM7BJR0=; h=in-reply-to:date:subject:cc:from: references; d=tobias.gr; b=birwZpwrgXirxm9BQSxZ9l1LgbcALcDq+wd+7sAG1db APJ1rnd+QXZP26aVNv+v1agMt6zF2CZrxt0ZkzmAQ2gdNYnW2npePJ5vXcU+yIzGKAtB/Q dpWDBCq1trS/L1Vc+M1s5M9y5oWY623UBfoH69CKFKEXyLFg6uh3/4KWfP7y7oQXh+b6Nn nipdgZaqSVhKZ0MXhUbiG3D7dsX3xbI4OzOslqi/vGjqgziQvt0cLWcSWvs0W4KiXMg7wM 5Gbru7I9pQH7Ju7u7ZEZeCUdoJqm2JFN/uw6tsZBTtf3Dcd5VmY/XthXMyKFAh41mDXAh1 ovbRKd7kvfNmvrf0qrw== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 185b14e4 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Wed, 3 Nov 2021 01:13:28 +0000 (UTC) References: <8736h643ke.fsf@rekahsoft.ca> <20211102160950.20467-1-me@tobias.gr> Date: Wed, 03 Nov 2021 02:06:31 +0100 In-reply-to: <20211102160950.20467-1-me@tobias.gr> BIMI-Selector: v=BIMI1; s=default; Message-ID: <87ilxam46w.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -10 X-Spam_score: -1.1 X-Spam_bar: - X-Spam_report: (-1.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MISSING_HEADERS=1.021, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: Tobias Geerinckx-Rice From: Tobias Geerinckx-Rice via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635902057; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=1VPYgUt5l891oLuDVYnRMMa4X8/kIDFeftW4ZM7BJR0=; b=hUMMn5JaFr2voSI3GwK8kGcW4Q+ZvNGq+Gwhs3CoUivZwe64vArZ91UMxKbIUm7IvWF9cZ PJG8msQjeLPgQd/DvkgZGkXsU2/4eipmrA0iF3HcRx77+Zi2I7+nqpQZjMOz2uoLJbqMbW 0ycpGeyCi22v02nrhN04igpnBDN/D6modMy9qxKOobRMVuK4zUmSpZQV7dAuLRAFBorSOF T15ZTHocrca/CDjwlP0eqB2YtS36H0CZ6Pz2aP6DahnP9ETT9k6NEcwBLEGaCzSXGn0ezV rlW2rYj66uxsLOVHUtkAMqXinvhQ/6eCZeeJkZQwLn9MljofHYctPbrEvIzkZA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635902057; a=rsa-sha256; cv=none; b=JFM03fungYbFtWgHg9HARvRwJlc3tyv2BB651kfLdzuNiG4gSgEubNkFsuWc8uIzENoDEL Zju//z6d23D2IzynMhvD6g+bhZo6jU5LbFXwNPvD40W399ieI/vtaTz4nFAi/EZHPOGs+3 YdlpS8+sw4dhUz4/Khj1ydkSR0brH3U1CKmbABG326CR4zZhr6mZ67X9Qb3PXkW8EEBHMD TWOrrrRe5BZF8XPl5SLVQNF0s8inyYTWABYhpZ1Fxj/0N7OS7lKvG/6tJFIk4w2+Eblkue LOncqwn4RN2yChj4PdDEMkwAQoCo4RDD05u7/Bcxa7nWLzp5NCSHC3yyCqy4aQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=birwZpwr; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.52 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=birwZpwr; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 6293F2F935 X-Spam-Score: -2.52 X-Migadu-Scanner: scn0.migadu.com X-TUID: NM8R/4RgjD9F --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Damn, Tobias Geerinckx-Rice via Bug reports for GNU Guix =E5=86=99=E9=81=93=EF=BC= =9A > This is a conservative patch: it only redirects guix.gnu.org and > issues.guix.gnu.org, the most (potential-)user-facing sites, to=20 > HTTPS. > > CI should probably remain reachable over HTTP indefinitely. > > Subprojects like GWL, friends like Bootstrappable, and anything=20 > else > retain =E2=80=98user choice=E2=80=99, until they opt in. The current situation is actually more horked than that: ~ =CE=BB curl -LI https://gnu.org HTTP/1.1 301 Moved Permanently [=E2=80=A6] Strict-Transport-Security: max-age=3D63072000; includeSubDomains;=20 preload This is a great security policy! It also announces to the modern=20 world that *all* HTTP connections to *any* subdomain of gnu.org=20 should be silently upgraded to HTTPS. If your UA honours this header and has ever visited gnu.org,=20 visiting http://ci.guix.gnu.org should not be possible. It will=20 immediately upgrade to HTTPS. Certificate errors can no longer be=20 bypassed. guix.gnu.org cannot relax this policy. Now, for some reason, current Firefox doesn't seem to do any of=20 this (compatibility?) but it may only be a matter of time. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYYHiRw0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW156/MA/jGe0pPAhCnUM7ru93JFTLnId7eqRuibxLP38gho gSizAP9vcvv3TM2FgzT+a7ja326Kec1dR6PxfKVE+7A0RlD0Bw== =0ZQL -----END PGP SIGNATURE----- --=-=-=--