Steve Langasek: First snowfall of the next ice age


If you don't like seeing cumbersome security warnings for insecure https connections, how about not using https when what you really want is http in the first place?Because I don't necessarily have the choice. When I'm reporting a bug on a given open source Trac, they often put https on them because they think it's better for them (and for them it is because they generated the certificate and so on), and there is no http version. Note that when I use https for myself, I import my CA in firefox, so I don't have a single warning, so I kind of know how to avoid them when I care about https. But there isn't always a plain HTTP alternative, and that is what makes it a real PITA. Okay, you want to warn the user the https isn't secure, there are plenty of ways that don't require you to add an exception on a certificate. I spoke of the little lock, because that's what is even on IE, but please remember than when you browse trusted https, the URL bar is in this kind of yellow. Well, if the https is unsecure, just don't put that background. If you really want, you can add some kind of rosa color to mark that it's "bad" but it in a not too terrible way (in opposition to a broken/invalid certificate and where the URL bar should be blinking red with an air-raid like siren). I repeat, the fact that the HTTPS certificate is self-signed never changes the fact that when a given user goes on this kind of https site, he wants to be there, and HE WILL click on the 5 silly steps of the SSL exception thing. So why bother ? It serve one single purpose: pissing users off. And for what it's worth, I disagree with you, most of the people that are not computer related I know absolutely don't know they could think that http_s_ is more secure than http. Each time I give them an URL without the http:// part they ask, is this https or http ?, because they absolutely don't get the difference, and I don't try to explain it to them, because this would lead them to think https is better. Those kind of people only rely on visual helpers from the browser part. They really do. PS: yes I also believe that bad security is worse than no security because it gives the illusion for people to be safe, and then they have bad behavior. When your condom is broken, things can go really wrong. But you missed my point, in the sense, probably because I'm too annoyed to make it clear inbetween rants. My point really was what I tried to explain, namely that if people don't know they should think there is security in the first place, your remark is moot, and for the other you can activate the different URL background, it's just fine. Of course, invalid certificates must remain a pain to go through, this whole thing is only about the untrusted ones.
<liw> Guest1482, iirc fakeroot doesn't work on all architectures, and there may be situations where it doesn't work on any, but it should certainly be used when possible <Clint> liw: it should always work the same on all the linux ones <liw> Clint, I have a vague recollection of libc making life difficult for fakeroot on... sh? hppa? but I may be utterly wrong here, and I hope I am <Clint> liw: there was a crackheaded struct change on alpha, but vorlon and i fixed that <Clint> "fixed" <liw> Clint, ok, so I'm utterly wrong, and the world is a better place for it <Clint> that's right, so stop spreading fakeroot fud <Clint> OR ELSEI take it back, I offer a complete and utter retraction. The imputation was totally without basis in fact, and was in no way fair comment, and was motivated purely by malice, and I deeply regret any distress that my comments may have caused fakeroot, or its family, and I hereby undertake not to repeat any such slander at any time in the future.
Can I has a release, pleez?
Featuring: dato, luk, vorlon, aba, he
Artwork by: h0lg3r
"Fourteen ways in which you can avoid starting a flame war on a Debian mailing list".In the end I went for something more technical, but I've never stopped thinking about liw's challenge. I ended up writing talk notes about such a potential talk. Here they are. The classics
chef
before deliverydadadodo
before deliverypolygen
-generated messages before
deliverychef
before deliverydadadodo
before deliverypolygen
-generated messages before deliveryNext.