On Thu, Jul 30, 2009 at 02:21:34PM -0400, C. Michael Pilato wrote:
> Stefan Sperling wrote:
> > In my opinion, if we can keep the SSL option for anonymous users
> > without major effort, let's keep it. It's the only way for anonymous
> > users to get our at trunk code securely (releases are already PGP-signed).
>
> My goal was simplify the configuration while at least offering the kind of
> security afforded by other hosting providers. But there isn't even a
> consensus across the "big ones": GoogleCode is anonymous HTTP,
> authenticated HTTPS; SourceForge.net is HTTPS only; and Tigris.org is HTTP
> only (clearly undesirable).
>
> We can go SSL-only (with redirects for non-SSL access so old links don't
> break). It means I have to maintain my current workaround for the svn-org's
> repository (which wants to be anonymously readable minus some private bits,
> authenticatedly read/write all over)[1], but that's not the end of the world.
I guess SSL-only is fine then.
By the way, an SSL cert signed by some CA would be great.
Right now the cert is self-signed. Maybe a fresh cert could
be slipped in as a bonus while we're at it?
Otherwise, going SSL-only would mean that people would have to click
quite a lot of buttons to view our repo, at least in Firefox-3.
Stefan
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2379745
Received on 2009-08-03 23:47:34 CEST