Switch all http to https in code base?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Switch all http to https in code base?

Rik-4
All,

How strict should we be about converting URL references from http to
https?  I notice lots of instance of @url{...} in the documentation that
are using insecure http.  And then there are others like this one:

config.h:3101:#define PACKAGE_URL "http://www.gnu.org/software/octave/"

or

README:58:  compiler, or [f2c](http://www.netlib.org/f2c/)

--Rik

Reply | Threaded
Open this post in threaded view
|

Re: Switch all http to https in code base?

Mike Miller-4
On Thu, Apr 05, 2018 at 18:39:58 -0700, Rik wrote:
> How strict should we be about converting URL references from http to
> https?

Everything that can be https should be https.

I thought I had taken care of changing all octave.org, gnu.org, and
sourceforge.{io,net} URLs to https, did you see any that aren't?

> notice lots of instance of @url{...} in the documentation that
> are using insecure http.

I didn't bother with going through all third-party URLs to .edu and
other domains, but if they can be https they should be.

If a URL to some code or paper returns an error now, should we leave it?

> And then there are others like this one:
>
> config.h:3101:#define PACKAGE_URL "http://www.gnu.org/software/octave/"

That URL is constructed automatically by autoconf.

I had thought about overriding it by adding a fifth argument to AC_INIT,
but I think it's probably ok to just leave it until a new release of
autoconf is out.

--
mike

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Switch all http to https in code base?

Rik-4
On 04/05/2018 06:52 PM, Mike Miller wrote:
> On Thu, Apr 05, 2018 at 18:39:58 -0700, Rik wrote:
>> How strict should we be about converting URL references from http to
>> https?
> Everything that can be https should be https.
>
> I thought I had taken care of changing all octave.org, gnu.org, and
> sourceforge.{io,net} URLs to https, did you see any that aren't?

Not so much in the main Octave repo, but there loads of examples in the MXE
repo.  If it is the right thing to do then I will switch them over.

>
>> notice lots of instance of @url{...} in the documentation that
>> are using insecure http.
> I didn't bother with going through all third-party URLs to .edu and
> other domains, but if they can be https they should be.
>
> If a URL to some code or paper returns an error now, should we leave it?

Seems pointless to have a broken link.  I would delete them.  I'll write a
script to check the links.

>> And then there are others like this one:
>>
>> config.h:3101:#define PACKAGE_URL "http://www.gnu.org/software/octave/"
> That URL is constructed automatically by autoconf.
>
> I had thought about overriding it by adding a fifth argument to AC_INIT,
> but I think it's probably ok to just leave it until a new release of
> autoconf is out.
>

I'd be tempted to use the fifth argument.  No idea when the next autoconf
is scheduled for release.

--Rik