[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] 'Saving HSTS entries to' bug

From: Tim Ruehsen
Subject: Re: [Bug-wget] 'Saving HSTS entries to' bug
Date: Tue, 24 May 2016 10:24:13 +0200
User-agent: KMail/4.14.10 (Linux/4.5.0-2-amd64; KDE/4.14.20; x86_64; ; )

On Monday 23 May 2016 23:59:45 Ander Juaristi wrote:
> Hi,
> I would leave it unchanged. For me this is a WONTFIX, for the following
> reasons:
>  1. The message is only printed when debug output (-d) is enabled. That
> is disabled by default. Any user who enables it is expected to be wise
> enough to know how to interpret the output, or at least treat it with care.
>  2. Solving this would require checking whether the scheme is 'ftp://'
> and in the case of HTTP(S), further checking whether the
> Strict-Transport-Security header was set (in the case of HTTPS), or we
> were redirected to the HTTPS entry point of the site and that entry
> point sets it. This adds extra unnecessary complexity for the single
> reason of hiding an output that only appears in debug mode. IMO it does
> not pay off.
>  3. The HSTS file is read at the beginning, and written at the end. That
> is the best way of doing it, and the way other UAs work. A simpler
> solution than that proposed at point 2 would require putting the HSTS
> load/save routines in other place, maybe checking them on a per-URL
> basis. This also does not pay off IMO.
> The best 'fix' that comes to my mind is a compromise. Don't remove the
> message (for the reasons mentioned), but print how many HSTS entries
> have been read/updated/written. Something like:
> Saving HSTS entries to /home/strunk/.wget-hsts (read: 1, updated: 0)
> I would do either this or nothing. Tell me if this is acceptable.

Hi Ander,

IMO, another possibility is to add a flag to 'struct hsts_store' that 
indicates any change made. hsts_store_save() could be skipped if that flag is 
not set.

At the same time the debug info has to be moved from main.c/save_hsts() to 
hsts.c/hsts_store_save() OR hsts.c needs another function to return the value 
of the flag, so that save_hsts() could check it.



Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]