[20:17] <mwhudson> so um
[20:17] <mwhudson> have we thought about adding https support for bazaar.launchpad.net at all?
[21:33] <xnox> mwhudson, i thought we do have it.... please elaborate?
[21:34] <mwhudson> xnox: not for accessing bzr branches over https we don't
[21:34] <mwhudson> i think?
[21:34] <mwhudson> there is for codebrowse
[21:36] <xnox> ah
[21:47] <cjwatson> mwhudson: the chances of any development that substantial happening on bzr codehosting are relatively slim
[21:47] <mwhudson> cjwatson: it's mostly ops isn't it? but yeah
[21:48] <mwhudson> cjwatson: this is what prompted it https://groups.google.com/d/msg/golang-nuts/bY5qSPjBUCk/FkkAujU2AQAJ
[21:48] <mwhudson> it's slightly embarrassing
[21:49] <cjwatson> sure - we do have it on git.launchpad.net
[21:58] <wgrant> mwhudson: It's complicated due to domain arrangements and security.
[21:58] <mwhudson> wgrant: bleh ok
[21:59] <mwhudson> i don't really see why but i'm sure the details are horrible :-)
[21:59] <wgrant> mwhudson: Users holding SFTP access to a subdomain of a webapp is a Very Bad Idea™.
[21:59] <wgrant> We are saved today only by the Secure bit on our cookies.
[22:00] <mwhudson> oh
[22:00] <mwhudson> i guess we could turn off sftp but i guess the smart server provides broadly equivalent abilities?
[22:02] <wgrant> Correct.
[22:02] <wgrant> VFS access can't readily be eliminated.
[22:03] <wgrant> It is possible to fix at the web server level, but the security considerations are complicated and we certainly don't have time for that now.
[22:04] <cjwatson> Good excuse to encourage Go projects hosted on Launchpad to switch to git.launchpad.net on general principles.
[22:04] <cjwatson> (which I realise is a little unhelpful, but aligned with general goals ...)
[22:06] <mwhudson> can't decide whether to reply and say that or just ignore it and hope it goes away