Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > A couple people have raised concerns about Savannah and whether it meets
  > criteria C6, which states: "Support HTTPS properly and securely,
  > including the site's certificates."

The first one seems to be trying to distort the meaning of those
words.  To support HTTPS does NOT mean to refuse to support HTTP.
If that's what we meant, we would have said that.

However, this point

  > But
  > > even more worrying is that there is no way to access the savannah git
  > > repositories in a secure way for anonymous users.
  > >
  > > If you look at a repository site like this:
  > > http://savannah.gnu.org/git/?group=patch
  > >
  > > There are two ways to clone the repo: Over the git:// protocol, which
  > > is plaintext and insecure, and over ssh, which is only available if you
  > > have a savannah account and are a member of that project. Therefore for
  > > all people that are not part of a project there is no secure way of
  > > getting the git code.
  > >

seems to be valid.  That is a real problem.

Looking at their four points:

  > > * Remove the nonsensical login option and make security the default.
  > > * Redirect all http queries to https.
  > > * Set an HSTS header to avoid accidental http access.

Those are not necessary.  There is no need for sites to refuse
to support HTTP.

  > > * Create an anonymous git checkout option over HTTPS.

We do need to do that one.

Can any of you help do this?

If necessary, we could ask our sysadmins to help -- but I think this
is more of a programming issue than a sysadmin issue.