New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP links on https://curl.haxx.se/download.html #1882
Comments
Yeah, I think there are three parts to this:
I started on 1 and 2 a while ago and have converted a whole bunch over to HTTPS already. |
Most them that are available over HTTPS are converted now. |
I've removed several dead entries and I've chased down HTTPS links - turned out to be work since many of the download sites don't automatically redirect to HTTPS even when they do offer HTTPS alternatives! There are now 152 entries in the download database out of 247 that are still using "unsafe" URLs. But without us knowing any safe alternative URLs to them. I made our internal system visualize this better to make it more apparent to us adding and editing entries. That means 95 (38%) are using HTTPS links right now. I think this is as far as we can get right now. |
The mirror.city-fan.org (Paul Howarth) links are now available over https. |
@pghmcfc excellent! |
Recount: Out of the 245 download links currently stored, 115 are using "unsafe" URLs (FTP or HTTP). That's 130 or 53% using HTTPS links. |
BTW, @hannob also opened an issue against the Wget website, which should now be clean. So, maybe it's worth a try to file bugs against the HTTP-only domain admins to ask for HTTPS. |
Yeah, could be. But that's an awful lot of work since that's like 100 different sites, most of them without a clear bug/issue tracker where such bugs could be filed. I suspect most of them would have to be contacted by email and I'm just generally pessimistic about non-HTTPS site owners acting on single users asking them to switch to HTTPS... |
Hmmm, if it's so many, is there a way to find out the admin's email to automatically generate emails ? Maybe |
I'm down to 54 unique host names with linked download resources not available over HTTPS. Most of these host really old versions of curl too, which indicates that they're not eagerly maintained: azalea.ics.agh.edu.pl |
Just had quick look with
with your list in You'll find a few persons (at least the emails look like it), but also many general addresses from big hosters. Likely those won't answer, so your are left with some hand-picked email addresses in the end. |
You should make a second try, just hand-tested some:
And maybe it is worth to open an issue for the Redhat server. |
Thanks, fixed! This is not really a game that ends. Servers will come and go over time so surely some will break soon and there will soon appear HTTPS alternatives for currently unsafe ones. We will continue updating links going forward as we analyze the daily download-scanner logs and hope that people keep reporting issues. |
Closing this issue. Thanks everyone! |
A last tip, latest statistics stuff for Wget2 (GSOC 2017 project):
to get a (machine readable) CSV report about TLS features. This is the current list with domains that seem to support HTTPS:
|
On the curl download page
https://curl.haxx.se/download.html
there are a lot of HTTP links to pages that either provide HTTPS or default to HTTPS. Also there seem to be some dead links.
It's a lot of links, so not sure how to best tackle this, but one could probably start by making a script that goes through all of them and checks for http->https redirects and 404 errors.
The text was updated successfully, but these errors were encountered: