From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Pwghv-000724-NW for garchives@archives.gentoo.org; Mon, 07 Mar 2011 20:07:08 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5AD051C07D; Mon, 7 Mar 2011 20:06:59 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 2A4E41C04D for ; Mon, 7 Mar 2011 20:06:35 +0000 (UTC) Received: from [192.168.1.117] (MTLXPQAK-1176055545.sdsl.bell.ca [70.25.46.249]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: tester) by smtp.gentoo.org (Postfix) with ESMTPSA id 520451B41C4 for ; Mon, 7 Mar 2011 20:06:34 +0000 (UTC) Subject: Re: [gentoo-dev] Bugzilla 4 migration From: Olivier =?ISO-8859-1?Q?Cr=EAte?= To: gentoo-dev@lists.gentoo.org In-Reply-To: <20110307204708.5da83080@pomiocik.lan> References: <4D7410E3.3070708@gentoo.org> <20110307101214.37beac3a@pomiocik.lan> <20110307144819.GA28374@kaini.schwarzvogel.de> <20110307204708.5da83080@pomiocik.lan> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-2QY4ohc93VL59CZkEVm4" Organization: Gentoo Date: Mon, 07 Mar 2011 15:06:25 -0500 Message-ID: <1299528385.26337.22.camel@TesterTop4> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 (2.32.1-1.fc14) X-Archives-Salt: X-Archives-Hash: ed767bb0827a0a0d25d85b0ad172d7e2 --=-2QY4ohc93VL59CZkEVm4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2011-03-07 at 20:47 +0100, Micha=C5=82 G=C3=B3rny wrote: > On Mon, 7 Mar 2011 15:48:19 +0100 > Tobias Klausmann wrote: >=20 > > On Mon, 07 Mar 2011, Mike Frysinger wrote: > > > >> If *anybody* can't use SSL for any reason please yell so that we > > > >> can decide if we leave it as it is (plain + encrypted) or not. > > > > > > > > Is there any *real* reason to force SSL? It is *hell* slow. > > >=20 > > > it should of course be force for logging in > >=20 > > If it is enforced for login, it should be enforced for logged > > in sessions, cf. Cookie stealing (for a POC: Firesheep). And no, > > restricting the login cookie to an IP is *not* "safe enough". >=20 > Why does everyone assume it needs to be enforced? If user is interested > in protecting his/her data, he/she can simply use https://. If he/she > is not, there is no real reason to enforce slower (and not always > supported) SSL. Maybe it's not to protect the user, but to protect the Gentoo infrastructure.. And really, SSL has been supported by every browser for the last 15 years. And it is not in any way slow or slower than non-SSL. --=20 Olivier Cr=C3=AAte tester@gentoo.org Gentoo Developer --=-2QY4ohc93VL59CZkEVm4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEABECAAYFAk11OsEACgkQHTiOWk7ZorvKqACfbEgGD1PqQ7jd1+5H68HoLgRR A4wAnjcjw4mETvkHadx7YC0LkHgqcG22 =Vc1n -----END PGP SIGNATURE----- --=-2QY4ohc93VL59CZkEVm4--