/srv/irclogs.ubuntu.com/2016/03/09/#launchpad-dev.txt

mwhudsonso um20:17
mwhudsonhave we thought about adding https support for bazaar.launchpad.net at all?20:17
xnoxmwhudson, i thought we do have it.... please elaborate?21:33
mwhudsonxnox: not for accessing bzr branches over https we don't21:34
mwhudsoni think?21:34
mwhudsonthere is for codebrowse21:34
xnoxah21:36
cjwatsonmwhudson: the chances of any development that substantial happening on bzr codehosting are relatively slim21:47
mwhudsoncjwatson: it's mostly ops isn't it? but yeah21:47
mwhudsoncjwatson: this is what prompted it https://groups.google.com/d/msg/golang-nuts/bY5qSPjBUCk/FkkAujU2AQAJ21:48
mwhudsonit's slightly embarrassing21:48
cjwatsonsure - we do have it on git.launchpad.net21:49
wgrantmwhudson: It's complicated due to domain arrangements and security.21:58
mwhudsonwgrant: bleh ok21:58
mwhudsoni don't really see why but i'm sure the details are horrible :-)21:59
wgrantmwhudson: Users holding SFTP access to a subdomain of a webapp is a Very Bad Idea™.21:59
wgrantWe are saved today only by the Secure bit on our cookies.21:59
mwhudsonoh22:00
mwhudsoni guess we could turn off sftp but i guess the smart server provides broadly equivalent abilities?22:00
wgrantCorrect.22:02
wgrantVFS access can't readily be eliminated.22:02
wgrantIt is possible to fix at the web server level, but the security considerations are complicated and we certainly don't have time for that now.22:03
cjwatsonGood excuse to encourage Go projects hosted on Launchpad to switch to git.launchpad.net on general principles.22:04
cjwatson(which I realise is a little unhelpful, but aligned with general goals ...)22:04
mwhudsoncan't decide whether to reply and say that or just ignore it and hope it goes away22:06

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!