Re: [Repo-criteria-discuss] Savannah and HTTPS

[Juuso Lapinlampi]

On Mon, Sep 19, 2016 at 12:30:03PM +0200, Hanno Böck wrote:
> *The code repositories*
> 
> Now all of the above can be aleviated a bit if a user carefully uses
> https all the time manually or uses a plugin like https everywhere. But
> even more worrying is that there is no way to access the savannah git
> repositories in a secure way for anonymous users.
> 
> If you look at a repository site like this:
> http://savannah.gnu.org/git/?group=patch
> 
> There are two ways to clone the repo: Over the git:// protocol, which
> is plaintext and insecure, and over ssh, which is only available if you
> have a savannah account and are a member of that project. Therefore for
> all people that are not part of a project there is no secure way of
> getting the git code.
> 
> 
> 
> I think for these two reasons one cannot argue that savannah supports
> HTTPS "properly and securely".
> 
> I don't know if people operating savannah read this, but I'd recommend
> these changes:
> * Remove the nonsensical login option and make security the default.
> * Redirect all http queries to https.
> * Set an HSTS header to avoid accidental http access.
> * Create an anonymous git checkout option over HTTPS.

I have reported this issue to GNU webmasters three months ago, who said
to forward this to the Savannah team. Nothing has happened so far.

There used to be "includeSubDomains" directive in gnu.org (root), but it
was broken in regards to Savannah and removed.

I have attached the whole email conversation with GNU webmasters. The
incorrect use of terms from GNU's side does not make me very
confident...

> 
> Until these issues have been resolved I think savannah should no longer
> be called an ethical code hosting option.

Agreed, and I have criticized issues similar to this before on this
list.

2016-06-14-gnu-hsts.mbox
Description: Text document