Changing guix download page from using HTTP to HTTPS

Changing guix download page from using HTTP to HTTPS

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 460 bytes --]

Hello,

In the guix download page[0], it mentions "Source code for the Guix
System Distribution USB installation images as well as GNU Guix can be
found on the GNU ftp server for alpha releases:
http://alpha.gnu.org/gnu/guix/ (via HTTP) and
ftp://alpha.gnu.org/gnu/guix/ (via FTP).".

Should we change "http://alpha.gnu.org/gnu/guix/ (via HTTP)" to
"https://alpha.gnu.org/gnu/guix/ (via HTTPS)"?

Cheers,
Alex

[0]: https://www.gnu.org/software/guix/download/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Changing guix download page from using HTTP to HTTPS

[ng0]

On 17-03-05 23:15:25, Alex Vong wrote:
> Hello,
> 
> In the guix download page[0], it mentions "Source code for the Guix
> System Distribution USB installation images as well as GNU Guix can be
> found on the GNU ftp server for alpha releases:
> http://alpha.gnu.org/gnu/guix/ (via HTTP) and
> ftp://alpha.gnu.org/gnu/guix/ (via FTP).".
> 
> Should we change "http://alpha.gnu.org/gnu/guix/ (via HTTP)" to
> "https://alpha.gnu.org/gnu/guix/ (via HTTPS)"?
> 
> Cheers,
> Alex
> 
> [0]: https://www.gnu.org/software/guix/download/



The primary link should be https not ftp, I've asked about this in a
thread which derailed and got not very much attention to the question I
asked so far.. which was rewritting all occurences of ftp:// on the
website to https:// for alpha.gnu.org.
As it is, it is inaccessible for tor users. This would fix it.

Re: Changing guix download page from using HTTP to HTTPS

[Mike Gerwitz]

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

On Sun, Mar 05, 2017 at 16:32:16 +0000, ng0 wrote:
> As it is, it is inaccessible for tor users. This would fix it.

The FTP server you mean?  rms has asked the FSF sysadmins to fix this as
of a day or two ago, so hopefully that'll work soon.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
Old: 2217 5B02 E626 BC98 D7C0  C2E5 F22B B815 8EE3 0EAB
https://mikegerwitz.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: Changing guix download page from using HTTP to HTTPS

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 696 bytes --]

On Sun, Mar 05, 2017 at 11:15:25PM +0800, Alex Vong wrote:
> Hello,
> 
> In the guix download page[0], it mentions "Source code for the Guix
> System Distribution USB installation images as well as GNU Guix can be
> found on the GNU ftp server for alpha releases:
> http://alpha.gnu.org/gnu/guix/ (via HTTP) and
> ftp://alpha.gnu.org/gnu/guix/ (via FTP).".
> 
> Should we change "http://alpha.gnu.org/gnu/guix/ (via HTTP)" to
> "https://alpha.gnu.org/gnu/guix/ (via HTTPS)"?

Absolutely.

Everyone *should* verify the signatures, but I know that many people do
not. HTTPS makes it harder to perform a man-in-the-middle attack on
those users, and it also gives them some privacy.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Changing guix download page from using HTTP to HTTPS

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 708 bytes --]

On Sun, Mar 05, 2017 at 11:15:25PM +0800, Alex Vong wrote:
> Hello,
> 
> In the guix download page[0], it mentions "Source code for the Guix
> System Distribution USB installation images as well as GNU Guix can be
> found on the GNU ftp server for alpha releases:
> http://alpha.gnu.org/gnu/guix/ (via HTTP) and
> ftp://alpha.gnu.org/gnu/guix/ (via FTP).".
> 
> Should we change "http://alpha.gnu.org/gnu/guix/ (via HTTP)" to
> "https://alpha.gnu.org/gnu/guix/ (via HTTPS)"?

The web page is created from the guix-artwork repo:

https://git.savannah.gnu.org/cgit/guix/guix-artwork.git

You can send patches for that repo and then we will build the site and
deploy the changes with CVS (!).

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Changing guix download page from using HTTP to HTTPS

[ng0]

On 17-03-05 13:25:47, Mike Gerwitz wrote:
> On Sun, Mar 05, 2017 at 16:32:16 +0000, ng0 wrote:
> > As it is, it is inaccessible for tor users. This would fix it.
> 
> The FTP server you mean?  rms has asked the FSF sysadmins to fix this as
> of a day or two ago, so hopefully that'll work soon.
> 
> -- 
> Mike Gerwitz
> Free Software Hacker+Activist | GNU Maintainer & Volunteer
> GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
> Old: 2217 5B02 E626 BC98 D7C0  C2E5 F22B B815 8EE3 0EAB
> https://mikegerwitz.com


No, this won't fix the fact that port 21+20, the ones commonly used for
ftp, are commonly blocked by most relays. Switching to http OR https and
not making ftp the legacy protocol of choice will help here.
Unless rms went by my recommendation to offer onion services, but all I
know is that they are talking at the moment.

Re: Changing guix download page from using HTTP to HTTPS

[ng0]

On 17-03-05 19:45:07, ng0 wrote:
> On 17-03-05 13:25:47, Mike Gerwitz wrote:
> > On Sun, Mar 05, 2017 at 16:32:16 +0000, ng0 wrote:
> > > As it is, it is inaccessible for tor users. This would fix it.
> > 
> > The FTP server you mean?  rms has asked the FSF sysadmins to fix this as
> > of a day or two ago, so hopefully that'll work soon.
> > 
> > -- 
> > Mike Gerwitz
> > Free Software Hacker+Activist | GNU Maintainer & Volunteer
> > GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
> > Old: 2217 5B02 E626 BC98 D7C0  C2E5 F22B B815 8EE3 0EAB
> > https://mikegerwitz.com
> 
> 
> No, this won't fix the fact that port 21+20, the ones commonly used for
> ftp, are commonly blocked by most relays. Switching to http OR https and
> not making ftp the legacy protocol of choice will help here.
> Unless rms went by my recommendation to offer onion services, but all I
> know is that they are talking at the moment.
> 

Sorry, I thought this was a very selective reply to the patch for the
website I've sent today. But my reply still stands.

Re: Changing guix download page from using HTTP to HTTPS

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 1270 bytes --]

Hello ng0,

ng0 <contact.ng0@cryptolab.net> writes:

> On 17-03-05 23:15:25, Alex Vong wrote:
>> Hello,
>> 
>> In the guix download page[0], it mentions "Source code for the Guix
>> System Distribution USB installation images as well as GNU Guix can be
>> found on the GNU ftp server for alpha releases:
>> http://alpha.gnu.org/gnu/guix/ (via HTTP) and
>> ftp://alpha.gnu.org/gnu/guix/ (via FTP).".
>> 
>> Should we change "http://alpha.gnu.org/gnu/guix/ (via HTTP)" to
>> "https://alpha.gnu.org/gnu/guix/ (via HTTPS)"?
>> 
>> Cheers,
>> Alex
>> 
>> [0]: https://www.gnu.org/software/guix/download/
>
>
>
> The primary link should be https not ftp, I've asked about this in a
> thread which derailed and got not very much attention to the question I
> asked so far.. which was rewritting all occurences of ftp:// on the
> website to https:// for alpha.gnu.org.
> As it is, it is inaccessible for tor users. This would fix it.

This thread is exactly my respond to your thread. I use tor myself as
well, so I have exactly the same problem as you do. (But as you have
noticed, it can be easily fixed by changing 'ftp' to 'https'.) Are you
suggesting to replace all instances of 'http' and 'ftp' to 'https'? Have
you already sent a patch?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Changing guix download page from using HTTP to HTTPS

[ng0]

On 17-03-06 12:26:52, Alex Vong wrote:
> Hello ng0,
> 
> ng0 <contact.ng0@cryptolab.net> writes:
> 
> > On 17-03-05 23:15:25, Alex Vong wrote:
> >> Hello,
> >> 
> >> In the guix download page[0], it mentions "Source code for the Guix
> >> System Distribution USB installation images as well as GNU Guix can be
> >> found on the GNU ftp server for alpha releases:
> >> http://alpha.gnu.org/gnu/guix/ (via HTTP) and
> >> ftp://alpha.gnu.org/gnu/guix/ (via FTP).".
> >> 
> >> Should we change "http://alpha.gnu.org/gnu/guix/ (via HTTP)" to
> >> "https://alpha.gnu.org/gnu/guix/ (via HTTPS)"?
> >> 
> >> Cheers,
> >> Alex
> >> 
> >> [0]: https://www.gnu.org/software/guix/download/
> >
> >
> >
> > The primary link should be https not ftp, I've asked about this in a
> > thread which derailed and got not very much attention to the question I
> > asked so far.. which was rewritting all occurences of ftp:// on the
> > website to https:// for alpha.gnu.org.
> > As it is, it is inaccessible for tor users. This would fix it.
> 
> This thread is exactly my respond to your thread. I use tor myself as
> well, so I have exactly the same problem as you do. (But as you have
> noticed, it can be easily fixed by changing 'ftp' to 'https'.) Are you
> suggesting to replace all instances of 'http' and 'ftp' to 'https'? Have
> you already sent a patch?


Yes, in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=25980
for the download boxes, not for the change of links you proposed.

Re: Changing guix download page from using HTTP to HTTPS

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Sun, Mar 05, 2017 at 11:15:25PM +0800, Alex Vong wrote:
>> Hello,
>> 
>> In the guix download page[0], it mentions "Source code for the Guix
>> System Distribution USB installation images as well as GNU Guix can be
>> found on the GNU ftp server for alpha releases:
>> http://alpha.gnu.org/gnu/guix/ (via HTTP) and
>> ftp://alpha.gnu.org/gnu/guix/ (via FTP).".
>> 
>> Should we change "http://alpha.gnu.org/gnu/guix/ (via HTTP)" to
>> "https://alpha.gnu.org/gnu/guix/ (via HTTPS)"?
>
> The web page is created from the guix-artwork repo:
>
> https://git.savannah.gnu.org/cgit/guix/guix-artwork.git
>
> You can send patches for that repo and then we will build the site and
> deploy the changes with CVS (!).

Yup!  It’s a good idea Alex, please send a patch.

Thanks,
Ludo’.