docs: update sourceforge project links [ci skip] #9630
Conversation
PROJECT.sourceforge.net addresses support HTTPS now, seemingly by default. Until recently, equivalent .io addresses were offering HTTPS, with a redirect to the HTTP .net site for projects that did not opt-in to HTTPS and staying on .io for those that did. PROJECT.sourceforge.net did not offer HTTPS at all. Now, .io addresses seem to unconditionally redirect to the .net URL, but with _HTTP_, even though all those got HTTPS enabled. Possible deployment glitch? FWIW, both .io and .net are served through Cloudflare. The step back from .io to .net for user content is a little bit puzzling, as well as the insecure redirect between them. This patch converts all .io addresses (back) to .net, so now they are all accessible via HTTPS, without a redirect. Ref: https://sourceforge.net/p/forge/documentation/Project%20Web%20Services/#changes-as-of-september-2022
|
UPDATE 1: .io → .net redirection may (or may not) happen for projects that did not opt-in to HTTPS before. E.g. this .io URL is not being redirected at the time of writing this: https://libpng.sourceforge.io/. Moreover, in this case, the .net URL perm-redirects right back to .io, via HTTPS. So now each project needs to be tested individually to find out if the canonical project URL is the .io or the .net one. UPDATE 2: According to 1, SourceForge now renamed the .io space to "alternate" from "newer", and the difference between the two is PHP version or somesuch. Projects can select between them. It no longer seems to be bound to HTTPS opt-in status. It means this is by design. This would be a minor/no issue if redirect were correctly configured. Footnotes |
SourceForge projects can now choose between two hostnames, with .io and .net ending. Both support HTTPS by default now. Opening the other variant will perm-redirected to the one chosen by the project. The .io -> .net redirection is done insecurely. Let's update the URLs to point to the current canonical endpoints to avoid any redirects. Closes curl#9630
PROJECT.sourceforge.net addresses support HTTPS now, seemingly by default. 1
Until recently 23, equivalent .io addresses were offering HTTPS, with a redirect to the HTTP .net site for projects that did not opt-in to HTTPS and staying on .io for those that did. PROJECT.sourceforge.net did not offer HTTPS at all.
Now, .io addresses became a project-selectable option 4, so some of them perm-redirect to the .net URL, but with HTTP, even though all those got HTTPS enabled. Then HTTP gets perm-redirected back to HTTPS in a next step. Possible deployment glitch? Other project stay on the .io address. Needs to be detected on a per-project basis.
FWIW, both .io and .net are served through Cloudflare.
The step back from .io to .net for user content is a little bit puzzling, as well as the insecure redirect between them and the ambiguity in deciding which flavor is the canonical one (= without a redirect).
This patch converts all .io addresses (back) to .net, so now they are all accessible via HTTPS, without a redirect.
Footnotes
https://sourceforge.net/p/forge/documentation/Project%20Web%20Services/#changes-as-of-september-2022 ↩
https://sourceforge.net/p/forge/documentation/Convert%20your%20website%20to%20HTTPS/ ↩
https://sourceforge.net/blog/introducing-https-for-project-websites/ ↩
https://sourceforge.net/p/forge/documentation/Project%20Web%20Services/diff?v1=57&v2=56 ↩