Roundup Tracker - Issues

Issue 2550940

Title: does not support HTTPS
Type: security Severity: major
Components: Web interface Versions:
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ber, paulschreiber, rouilj
Priority: Keywords:

Created on 2017-04-29 17:19 by paulschreiber, last changed 2017-07-31 07:53 by ber.

msg5969 Author: [hidden] (paulschreiber) Date: 2017-04-29 17:19 does not support HTTPS.

All sites — especially sites providing logins — should support HTTPS and enforce it 
with HSTS>
msg5973 Author: [hidden] (ber) Date: 2017-05-09 14:18
I agree that it would be nice to have a HTTPS support for

So thanks for reminding us.
With it should be fairly
easy to get https started.

As for HSTS I have a tendency to consider it less useful, the reason is
that it may make access harder to the information on the side and a lot
of info is valuable without TLS as well.
msg5974 Author: [hidden] (paulschreiber) Date: 2017-05-09 16:12
What do you mean by "may make access harder to the information on the side"?

All web browsers support HTTPS.
msg5995 Author: [hidden] (rouilj) Date: 2017-07-29 01:11
Bernhard, have you talked to the folks (IIRC) about
getting this under https?

At the very least encrypting logins would be good.

We just had a spam login from a user whose password was changed
by an admin back in 2009. So I am not sure how the spam was posted
(maybe email), but securing the tracker needs to be done.
msg5997 Author: [hidden] (ber) Date: 2017-07-31 07:53

World wide a number of users cannot use HTTPS easily.
Two major reasons:
a) elder browsers (on old tablets, phone or computer with operating
systems, with no updates available for a number of reasons).
b) surveillance or censorship breaks or block HTTPS

Here is my last status (which did not make it to the list, though it
should have), I haven't checked further.
The os update should have solved the problems the Python folks
had with their Let's encrypt client, I guess.

----------  Weitergeleitete Nachricht  ----------

Betreff: Re: [Infrastructure] [Roundup-devel] is python bug tracker??
Datum: Freitag 12 Mai 2017, 18:55:38
Von: Mark Mangoba <>
An: "R. David Murray" <>
Kopie:  Bernhard Reiter <>,, "
infrastructure" <>

I am planning to schedule an upgrade of from Debian 6 to 7
next week, this should ultimately fix the issue as well as keep bugs

At the moment, I am working with the hosting provider if its possible to
create a snapshot of the VM so we can simulate and test the upgrade.

I should provide an update later next week on status and schedule.

Best regards,
Date User Action Args
2017-07-31 07:53:52bersetmessages: + msg5997
2017-07-29 01:11:43rouiljsetnosy: + rouilj, ber
messages: + msg5995
2017-05-09 16:12:17paulschreibersetnosy: - ber
messages: + msg5974
2017-05-09 14:18:09bersetnosy: + ber
messages: + msg5973
2017-04-29 17:19:51paulschreibercreate