redirect http requests to https to satisfy Chrome #88
Comments
|
@mflatt and I were discussing this yesterday. For most everything (everything that's fronted by Cloudflare) we can just press a button and it ought to work, but we should perhaps decide when a good time to hit the button is. |
|
Out of curiosity, does this button enable a plain redirect or does it turn on HSTS? |
|
The former.
…On Fri, Feb 8, 2019, 9:44 AM Jack Firth ***@***.*** wrote:
Out of curiosity, does this button enable a plain redirect or does it turn
on HSTS?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#88 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAO78xheZ2Ggdenbj8t7efY_p2RQzJMBks5vLbdzgaJpZM4av9xI>
.
|
|
Is the latter a feasible option? The former is (relatively) insecure. |
|
The redirect is now implemented. There's still a After checking that everything is working and that it won't take on too much risk, I'm going to enable HSTS as well. |
|
Is it possible this change had an unintended consequence with the catalog server? I’m now getting Travis build failures for Racket 6.0 that look like this: I wonder if the But recently, the package-server infrastructure has been generally flaky, so this is only a guess. |
|
@mflatt wrote
My quick check suggests that yes, this does fix the package server (inasmuch as Travis CI builds against 6.0 now work normally)
If Racket Command decides that this is the path forward, it doesn’t bother me to drop support for pre-6.2. I’m merely trying to be a good citizen by not obsoleting older versions that I don’t have to. The CI builds are the only way I know whether the software still works on those older versions. (I’m aware that I seem to be arguing both sides of the HTTPS issue. I didn’t know about this interplay.) |
|
@jeapostrophe fixed pkgs.racket-lang.org today, so we've turned the redirect back on. @mbutterick this will still break the ability of pre-6.2 Racket to contact download.racket-lang.org, which is the failure you saw. If people are concerned about this, we can consider trying to make this still work. |
|
This may be the reason why raco pkg installation on my TrueOS FreeBSD system is now broken. I don't recall having this problem before. Whenever I try to install a package from the main catalog in Racket 7.2, the error says Analyzing the error by evaluating Checking my system, I see there's |
|
Probably you need to add a new entry to this list: https://github.com/racket/racket/blob/master/racket/collects/openssl/libcrypto.rkt#L35 |
|
Can the package server force a redirect to https -- or not -- based on the value of the I'm guessing that |
|
By the way, I have some packages where I am still trying to support Racket versions older than 6.2. Why? Because I've had no reason to drop support. Travis CI helps me identify blatant problems like using procedures provided only in newer versions of Racket. If CI can no longer help with that (because older versions of I wanted to point out that it's a consequence. I don't know if it's a particularly bad one. |
|
Currently we're doing this at the Cloudflare CDN level, rather than on download.racket-lang.org. That doesn't make this easy, but it could be possible (although it would almost certainly cost some money). Alternatively we could do the redirect somewhere else, at the cost of some more work. For pre-6.2 Racket, it would no longer be possible to install any packages via the package catalog with this change, so you'd have to drop support regardless. If anyone actually wants to support pre-6.2 Racket, or even more significantly wants to use pre-6.2 Racket, then saying that would be helpful. |
|
Do you have stats for URLs like |
|
I don't immediately have the logs for that machine, but I'll see what I can find. |
|
After some experimenting and reading up on the expected conventions regarding shared libraries on *nix platforms. The convention is to have a In any event, I'm able to resolve the problem simply by adding the missing symbolic link by installing the development package version which will automatically configure the links. I don't think any changes are necessary in |
|
Well, it shouldn't be necessary to install the development package for Racket to work. If you add "111" to that list, does that fix the problem? |
|
Adding 111 to the list does fix the problem, shall I open a pull request with the new list entry? Aside, the resolution of the |
|
Yes, a PR for that would be great. I wish that there was something that would just make this work in general, but we haven't found it yet. |
- Fewer details in .travis.yml. - Use generic Makefile. - Put some details in info.rkt files. Also, move markdown.scrbl up from pointless "docs" subdir.
- Drop support for Racket before 6.2 as it is no longer testable. See <racket/racket-lang-org#88> - Depend on threading-lib not rackjure. All we were using from rackjure was `~>` and `str`. We can get former directly from threading-lib, and latter is just `~a`. - Add newer Racket versions 7.1 and 7.2. - Bump our version to 0.26.
- Drop support for Rackets < 6.2 because they are no longer testable -- see <racket/racket-lang-org#88>. - Now that we require 6.2, our info.rkt can use `#lang info` instead of `#lang setup/infotab`. - Depend on threading-lib not rackjure. All we were using from rackjure was `~>` and `str`. We can get former directly from threading-lib, and latter is just `~a`. - Add newer Racket versions 7.1 and 7.2. - Bump our version to 0.26.
- Drop support for Rackets < 6.2 because they are no longer testable -- see <racket/racket-lang-org#88>. - Now that we require 6.2, our info.rkt can use `#lang info` instead of `#lang setup/infotab`. - Add newer Racket versions 7.0, 7.1, and 7.2. - Bump our version to 0.10.
- Drop support for Rackets < 6.2 because they are no longer testable -- see <racket/racket-lang-org#88>. - Add newer Racket version 7.2. - Bump our version to 0.30.
- Drop support for Rackets < 6.2 because they are no longer testable -- see <racket/racket-lang-org#88>. - Add newer Racket version 7.2.
- Drop support for Rackets < 6.2 because they are no longer testable -- see <racket/racket-lang-org#88>. - Now that we require 6.2, our info.rkt can use `#lang info` instead of `#lang setup/infotab`. - Add newer Racket versions 7.0, 7.1, and 7.2. - Bump our version to 1.13.
- Drop support for Rackets < 6.2 because they are no longer testable -- see <racket/racket-lang-org#88>. - Now that we require 6.2, our info.rkt can use `#lang info` instead of `#lang setup/infotab`. - Add newer Racket versions 6.10 through 7.2. - Bump our version to 0.4.
|
I was hoping to maintain support for 6.0.1 in Heresy, because I just got a retro iBook and 6.0.1 was the last version built for PowerPC. 😞 Unfortunately, we depend on rackjure so I guess that's a no go unless I can find a way to replace that dependency. I'll have to see what I'm using. |
|
@jarcane Is the issue just about pre-built binaries? Could you compile 6.2 yourself? |
|
I honestly don't know. I will have to try; might be a few days before I can get to it though. |
To be clear: this is Chrome idiocy. But as with much Chrome idiocy, it is often imputed back to the webmaster.
httpsseems active on all Racket websites. But typing inracket-lang.orgto a Chrome URL box still selects thehttpversion by default, and produces the naughty-looking “not secure” warning. The fix is to redirect allhttprequests tohttps.The text was updated successfully, but these errors were encountered: