Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: update sourceforge project links [ci skip] #9630

Closed
wants to merge 2 commits into from

Conversation

vszakats
Copy link
Member

@vszakats vszakats commented Oct 1, 2022

PROJECT.sourceforge.net addresses support HTTPS now, seemingly by default. 1

Until recently 23, equivalent .io addresses were offering HTTPS, with a redirect to the HTTP .net site for projects that did not opt-in to HTTPS and staying on .io for those that did. PROJECT.sourceforge.net did not offer HTTPS at all.

Now, .io addresses became a project-selectable option 4, so some of them perm-redirect to the .net URL, but with HTTP, even though all those got HTTPS enabled. Then HTTP gets perm-redirected back to HTTPS in a next step. Possible deployment glitch? Other project stay on the .io address. Needs to be detected on a per-project basis.

FWIW, both .io and .net are served through Cloudflare.

The step back from .io to .net for user content is a little bit puzzling, as well as the insecure redirect between them and the ambiguity in deciding which flavor is the canonical one (= without a redirect).

This patch converts all .io addresses (back) to .net, so now they are all accessible via HTTPS, without a redirect.

Footnotes

  1. https://sourceforge.net/p/forge/documentation/Project%20Web%20Services/#changes-as-of-september-2022

  2. https://sourceforge.net/p/forge/documentation/Convert%20your%20website%20to%20HTTPS/

  3. https://sourceforge.net/blog/introducing-https-for-project-websites/

  4. https://sourceforge.net/p/forge/documentation/Project%20Web%20Services/diff?v1=57&v2=56

PROJECT.sourceforge.net addresses support HTTPS now, seemingly by
default.

Until recently, equivalent .io addresses were offering HTTPS, with a
redirect to the HTTP .net site for projects that did not opt-in to HTTPS
and staying on .io for those that did. PROJECT.sourceforge.net did not
offer HTTPS at all.

Now, .io addresses seem to unconditionally redirect to the .net URL, but
with _HTTP_, even though all those got HTTPS enabled. Possible deployment
glitch?

FWIW, both .io and .net are served through Cloudflare.

The step back from .io to .net for user content is a little bit puzzling,
as well as the insecure redirect between them.

This patch converts all .io addresses (back) to .net, so now they are all
accessible via HTTPS, without a redirect.

Ref: https://sourceforge.net/p/forge/documentation/Project%20Web%20Services/#changes-as-of-september-2022
@vszakats
Copy link
Member Author

vszakats commented Oct 1, 2022

UPDATE 1:

.io → .net redirection may (or may not) happen for projects that did not opt-in to HTTPS before. E.g. this .io URL is not being redirected at the time of writing this: https://libpng.sourceforge.io/.

Moreover, in this case, the .net URL perm-redirects right back to .io, via HTTPS. So now each project needs to be tested individually to find out if the canonical project URL is the .io or the .net one.

UPDATE 2:

According to 1, SourceForge now renamed the .io space to "alternate" from "newer", and the difference between the two is PHP version or somesuch. Projects can select between them. It no longer seems to be bound to HTTPS opt-in status. It means this is by design. This would be a minor/no issue if redirect were correctly configured.

Footnotes

  1. https://sourceforge.net/p/forge/documentation/Project%20Web%20Services/diff?v1=57&v2=56

@vszakats vszakats marked this pull request as draft Oct 1, 2022
@vszakats vszakats closed this in 265fbd9 Oct 1, 2022
@vszakats vszakats deleted the sfhttps branch Oct 1, 2022
markg85 pushed a commit to markg85/curl that referenced this pull request Oct 3, 2022
SourceForge projects can now choose between two hostnames, with .io and
.net ending. Both support HTTPS by default now. Opening the other variant
will perm-redirected to the one chosen by the project.

The .io -> .net redirection is done insecurely.

Let's update the URLs to point to the current canonical endpoints to
avoid any redirects.

Closes curl#9630
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant