lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 27 Jun 2020 09:10:58 +0200
From:   "Alexander A. Klimov" <grandmaster@...klimov.de>
To:     Jonathan Corbet <corbet@....net>
Cc:     mchehab+samsung@...nel.org, alexandre.belloni@...tlin.com,
        nicolas.ferre@...rochip.com, robh@...nel.org,
        j.neuschaefer@....net, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] Replace HTTP links with HTTPS ones: Documentation/arm



Am 26.06.20 um 23:09 schrieb Jonathan Corbet:
> On Fri, 26 Jun 2020 21:44:08 +0200
> "Alexander A. Klimov" <grandmaster@...klimov.de> wrote:
> 
>> Rationale:
>> Reduces attack surface on kernel devs opening the links for MITM
>> as HTTPS traffic is much harder to manipulate.
>>
>> Deterministic algorithm:
>> For each file:
>>    If not .svg:
>>      For each line:
>>        If doesn't contain `\bxmlns\b`:
>>          For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
>>            If both the HTTP and HTTPS versions
>>            return 200 OK and serve the same content:
>>              Replace HTTP with HTTPS.
>>
>> Signed-off-by: Alexander A. Klimov <grandmaster@...klimov.de>
>> ---
>>   Changes in v2:
>>   Undone all handhelds.org changes and 0 of 0 wearablegroup.org changes.
> 
> I wasn't asking that the changes be undone, I was asking that those links
> simply be removed.  They are actively harmful - much more so than any http:
> links - and shouldn't be there.  *Sigh*.  I guess I'll just do that.
You know what: I totally agree with you! They are actively harmful and 
shall not be there. End of story.

But *why* you don't let me work step-by-step and *focus on one task* at 
a time?

I.e. focus (for now) on HTTP links which shall stay in the kernel tree 
rather than on the ones which shall not.

IMAO both domains have literally nothing to do with e.g. the HTTPSified 
www.ti.com and ww1.microchip.com.

My trainers (employer) taught me to split commits (patches) per one 
thing I've done. (What you asked for is a legit thing, but it's another 
thing.)

Also *after* finishing my current todo list I'll think about automating 
the detection of such. (This would have a much larger coverage.)

> 
> jon
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ