Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Update and secure several references #4649
Here we work our way through all insecure http references in the repository, update the ones where the old references would lead to 404s or have otherwise been moved, and change the references to use https where possible. In each case, we've manually checked that the updated references work as expected.
For reference, the remaining insecure references are the following; we've left the ones used in tests unchanged, as well as the ones used as apt repositories (for which the fetching of the gpg key has been secured):
I have checked a good sample of the links here, and everything seems to check out. I left one comment only. I wonder if it would be possible to regularly check all the links in the project to find defunct ones.
In any case, I am satisfied that the changes here are reasonable, but I had not realised that they are necessary. Might there be a downside to linking to HTTPS for every external resource?
@martindurant: Thanks for checking!
A script for running through an entire git repository checking for broken links sounds like something that would be so useful that it ought to already exist; never saw such a thing though.
Necessity is in the eye of the beholder. Almost all of the references here would redirect to https on their own, and for those the only thing achieved by the changes here is that the user gets to skip a redirect (and thus a potential MITM vector, small as it may be). When I went through the exercise regardless it was mainly in the interest of pursuing "HTTPS Everywhere"; in particular figuring out if there is anything that keeps the dask subdomains from just redirecting everything to https on their own (cf. dask/dask.github.io#2), and whether or not there should be rulesets in https://github.com/EFForg/https-everywhere for the dask (and related pydata) pages.
Regarding downsides, the main one would be the potential issues caused by any of the external references one day deciding that they no longer want to support secure requests. This tends not to be very likely as it would break all references to the site in question already relying on HTTPS being supported, and at the same time, HTTPS is slowly but steadily becoming the default across the web (with browsers opting to label plain-HTTP requests as "insecure" in near future).