FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 03-08-2011, 01:53 PM
Michał Górny
 
Default Bugzilla 4 migration

On Tue, 08 Mar 2011 16:41:08 +0200
Antoni Grzymała <awaria@chopin.edu.pl> wrote:

> On Tue, 8 Mar 2011 15:26:34 +0100, Michał Górny wrote:
> > On Mon, 07 Mar 2011 15:06:25 -0500
> > Olivier Crête <tester@gentoo.org> wrote:
> >
> >> On Mon, 2011-03-07 at 20:47 +0100, Michał Górny wrote:
> >> > Why does everyone assume it needs to be enforced? If user is
> >> > interested in protecting his/her data, he/she can simply use
> >> > https://. If he/she is not, there is no real reason to enforce
> >> > slower (and not always supported) SSL.
> >>
> >> Maybe it's not to protect the user, but to protect the Gentoo
> >> infrastructure.. And really, SSL has been supported by every
> >> browser for the last 15 years. And it is not in any way slow or
> >> slower than non-SSL.
> >
> > If you really think you need to force all users to use SSL, thus
> > assuming they're unable to make their own decisions, why don't you
> > restrict bugzie access completely?
>
> You don't seem to (or pretend not to) understand that using SSL
> protects not *the user* (in which case, yes, a user is free to leave
> the door to *his own* house wide open), but the Gentoo infrastructure
> that is far from his own and that all of us are using.

Please explain to me how not using SSL for a particular bugzie user is
going to hurt Gentoo infra. Even if we're talking about a dev,
and we're really assuming a dev is completely unaware of security
issues he/she's dealing with, I'd say power outage could cause more
damage.

> Besides, complaining about SSL being slow is absurd considering how
> mildly interactive and how low-traffic a typical bugzilla session is.
> You could do just fine over a 9600 bps modem.

It is more absurd to waste 5 minutes trying to establish login session
due to packet loss.

--
Best regards,
Michał Górny
 
Old 03-08-2011, 02:06 PM
Nathan Phillip Brink
 
Default Bugzilla 4 migration

On Tue, Mar 08, 2011 at 03:53:01PM +0100, Micha?? G??rny wrote:
> On Tue, 08 Mar 2011 16:41:08 +0200
> Antoni Grzyma??a <awaria@chopin.edu.pl> wrote:
>
> > On Tue, 8 Mar 2011 15:26:34 +0100, Micha????? G????rny wrote:
> > > On Mon, 07 Mar 2011 15:06:25 -0500
> > > Olivier Cr??te <tester@gentoo.org> wrote:
> > >
> > >> On Mon, 2011-03-07 at 20:47 +0100, Micha?? G??rny wrote:
> > >> > Why does everyone assume it needs to be enforced? If user is
> > >> > interested in protecting his/her data, he/she can simply use
> > >> > https://. If he/she is not, there is no real reason to enforce
> > >> > slower (and not always supported) SSL.
> > >>
> > >> Maybe it's not to protect the user, but to protect the Gentoo
> > >> infrastructure.. And really, SSL has been supported by every
> > >> browser for the last 15 years. And it is not in any way slow or
> > >> slower than non-SSL.
> > >
> > > If you really think you need to force all users to use SSL, thus
> > > assuming they're unable to make their own decisions, why don't you
> > > restrict bugzie access completely?
> >
> > You don't seem to (or pretend not to) understand that using SSL
> > protects not *the user* (in which case, yes, a user is free to leave
> > the door to *his own* house wide open), but the Gentoo infrastructure
> > that is far from his own and that all of us are using.
>
> Please explain to me how not using SSL for a particular bugzie user is
> going to hurt Gentoo infra. Even if we're talking about a dev,
> and we're really assuming a dev is completely unaware of security
> issues he/she's dealing with, I'd say power outage could cause more
> damage.

If you access a bug which a user marked private/for devs only, or some
security bug, then the process of you viewing this information without
SSL would disclose this information to anyone listening on your
network. And disclosing your session cookie would allow anyone to find
any such private data they _want_ to find rather than just the content
you're viewing. Thus, by encrypting everything you are protecting
Gentoo users' data which is posted as private on bugzilla because they
trust that ``private' actually means private.

> > Besides, complaining about SSL being slow is absurd considering how
> > mildly interactive and how low-traffic a typical bugzilla session is.
> > You could do just fine over a 9600 bps modem.
>
> It is more absurd to waste 5 minutes trying to establish login session
> due to packet loss.

And if you have such a bad internet connection as you claim to have,
then perhaps there's a higher chance of people trolling your packets
anyways :-p.

--
binki

Look out for missing apostrophes!
 

Thread Tools




All times are GMT. The time now is 02:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org