Roundup Tracker - Issues

Issue 2550940

classification
Title: issues.roundup-tracker.org does not support HTTPS
Type: security Severity: major
Components: Web interface Versions:
process
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ber, paulschreiber, rouilj
Priority: Keywords:

Created on 2017-04-29 17:19 by paulschreiber, last changed 2017-07-31 07:53 by ber.

Messages
msg5969 Author: [hidden] (paulschreiber) Date: 2017-04-29 17:19
issues.roundup-tracker.org does not support HTTPS.

All sites — especially sites providing logins — should support HTTPS and enforce it 
with HSTS>
msg5973 Author: [hidden] (ber) Date: 2017-05-09 14:18
I agree that it would be nice to have a HTTPS support for 
issues.roundup-tracker.org
and http://www.roundup-tracker.org/
wiki.roundup-tracker.org

So thanks for reminding us.
With https://en.wikipedia.org/wiki/Let%27s_Encrypt it should be fairly
easy to get https started.

As for HSTS I have a tendency to consider it less useful, the reason is
that it may make access harder to the information on the side and a lot
of info is valuable without TLS as well.
msg5974 Author: [hidden] (paulschreiber) Date: 2017-05-09 16:12
What do you mean by "may make access harder to the information on the side"?

All web browsers support HTTPS.
msg5995 Author: [hidden] (rouilj) Date: 2017-07-29 01:11
Bernhard, have you talked to the python.org folks (IIRC) about
getting this under https?

At the very least encrypting logins would be good.

We just had a spam login from a user whose password was changed
by an admin back in 2009. So I am not sure how the spam was posted
(maybe email), but securing the tracker needs to be done.
msg5997 Author: [hidden] (ber) Date: 2017-07-31 07:53
@paulschreiber:

World wide a number of users cannot use HTTPS easily.
Two major reasons:
a) elder browsers (on old tablets, phone or computer with operating
systems, with no updates available for a number of reasons).
b) surveillance or censorship breaks or block HTTPS

@rouilj:
Here is my last status (which did not make it to the list, though it
should have), I haven't checked further.
The os update should have solved the problems the Python folks
had with their Let's encrypt client, I guess.

----------  Weitergeleitete Nachricht  ----------

Betreff: Re: [Infrastructure] [Roundup-devel]
https://issues.roundup-tracker.org/ is python bug tracker??
Datum: Freitag 12 Mai 2017, 18:55:38
Von: Mark Mangoba <mmangoba@python.org>
An: "R. David Murray" <rdmurray@bitdance.com>
Kopie:  Bernhard Reiter <bernhard@intevation.de>,
roundup-devel@lists.sourceforge.net, "infrastructure@python.org
infrastructure" <infrastructure@python.org>

I am planning to schedule an upgrade of bugs.python.org from Debian 6 to 7
next week, this should ultimately fix the issue as well as keep bugs
healthy.

At the moment, I am working with the hosting provider if its possible to
create a snapshot of the VM so we can simulate and test the upgrade.

I should provide an update later next week on status and schedule.

Best regards,
Mark
History
Date User Action Args
2017-07-31 07:53:52bersetmessages: + msg5997
2017-07-29 01:11:43rouiljsetnosy: + rouilj, ber
messages: + msg5995
2017-05-09 16:12:17paulschreibersetnosy: - ber
messages: + msg5974
2017-05-09 14:18:09bersetnosy: + ber
messages: + msg5973
2017-04-29 17:19:51paulschreibercreate