[llvm-dev] [SERVER UPDATE] Moving clang, clang-analyzer, libcxxabi, libcxx ... websites to new server

James Y Knight via llvm-dev llvm-dev at lists.llvm.org
Fri Jan 13 13:07:48 PST 2017

On Fri, Jan 13, 2017 at 3:47 PM, Mehdi Amini <mehdi.amini at apple.com> wrote:

> On Jan 13, 2017, at 12:35 PM, James Y Knight via llvm-dev <
> llvm-dev at lists.llvm.org> wrote:
> On Thu, Jan 5, 2017 at 5:26 PM, Tanya Lattner via llvm-dev <
> llvm-dev at lists.llvm.org> wrote:
>> *Are you fixing the SSL problem?*
>> Yes. The new server will have SSL support for all websites and have an
>> updated certificate.
> Is there any plan to make the migrated sites SSL-only? That is, have
> http://clang.llvm.org/** only serve a redirect to
> https://clang.llvm.org/** instead of serving content over http.
> If not, that'd be a great thing to add to the plans. :)
> I’m curious: why?
> I understand that you want anything authenticated (bugzilla, …) or the
> binary/source download, but what’s the reason to use SSL for looking up
> doxygen or LangRef? (Easier to setup or get it right could be a reason, I
> don’t know)

Well, sure, that's one reason: it's much easier to ensure that everything
that matters is properly protected, if you always protect everything. You
don't have to think about it anymore, and you won't mess up and
accidentally allow unencrypted binary downloads, which puts users at
unnecessary risk of tampering when they forget to explicitly type https.

Also: do you really want your site's visitors to be running the random
javascript that Comcast injects into it? Using https avoids that, too.

But beyond that: there's no downside. Why should *anyone* continue to serve
http traffic? It's just all around better and safer to require https, for
everything, always.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170113/4cb97bd9/attachment.html>

More information about the llvm-dev mailing list