Update Python.org.xml

[davidabian]

No description provided.

[J0WI]

WFM:
pypi.python.org
planet.python.org

[davidabian]

@J0WI: It seems that pypi is already here.
Should we join both files together?

[J0WI]

Yes, could you do that?

[J0WI]

@davidabian would be great to have this fixed :)

[jeremyn]

@davidabian Are you still interested in working on this one?

[jeremyn]

pypi.python.org is already in a different ruleset, Pypi.xml. It looks like that ruleset is included in the updates in this pull request, so you can delete that ruleset in this pull request.

[jeremyn]

Please:

Remove from top comment:

• https://ns1.pl.python.org , because this is too internal to list

Mark as Invalid certificate, and add (Incomplete certificate chain) next to it in the comment if noted:

• https://es.python.org
• https://calendario.es.python.org
• https://documentos-asociacion.es.python.org
• https://empleo.es.python.org
• https://hg.es.python.org (Incomplete certificate chain)
• https://lists.es.python.org (Incomplete certificate chain)
• https://forum.pl.python.org
• https://mail.pl.python.org
• https://redesign.python.org

Mark as No working URL known:

• https://front.python.org

Mark as Refused:

• https://buildbot.python.org
• https://dinsdale.python.org
• https://www.es.python.org
• https://ftp.python.org
• https://legacy.python.org

Mark as Secure connection failed:

• https://blog.python.org
• https://blog-cn.python.org
• https://blog-de.python.org
• https://blog-es.python.org
• https://blog-fr.python.org
• https://blog-ja.python.org
• https://blog-ko.python.org
• https://blog-pt.python.org
• https://blog-ro.python.org
• https://blog-ru.python.org
• https://blog-tw.python.org

Remove due to being HSTS preloaded (see #5109 (comment)):

• https://www.python.org
• https://console.python.org (and the related test)
• https://doc.python.org
• https://pypi.python.org
• https://wiki.python.org

Add target:

• https://cheeseshop.python.org
• https://discuss.python.org
• https://hg.es.python.org
• https://lists.es.python.org and remove from top comment
• https://speed.python.org
• https://staging2.python.org
• https://svn.python.org , add <test url="http://svn.python.org/projects/sftools/" /> , and remove from top comment
• https://vote.python.org
• https://warehouse-staging.python.org

Also:

• Delete the altnames comment, we don't need it
• Delete the Direct rewrites comment, we don't need it
• Combine the securecookie tags and add more subdomains to it Modify the securecookie tags as discussed in Update Python.org.xml #5109 (comment).
• Delete the SVN.Python.org.xml ruleset file

[jeremyn]

@davidabian I'm checking in on this pull request. Are you planning on making the changes I requested?

[davidabian]

@jeremyn Yes, I am.

[jeremyn]

I've updated the checklist through c9b696a.

For the securecookie, you added:

<securecookie host="^(?:[^@:/]+\.)python\.org$" name=".*" />

Looking at the style guide, I think a better fit with the same effect is:

<securecookie host="^[\w.-]+\.python\.org$" name=".+" />

but please double-check that. I originally had something more explicit like this in mind, and that would be okay too.

For the merge conflicts, that was caused by #8128 which removed docs.python.org and hg.python.org. So, just remove those two subdomains and then merge or rebase.

Because of all the commits, is it all right with you if I remove the commit messages when I squash-and-merge at the end?

[davidabian]

Thanks, @jeremyn. Yes, please, feel free to remove these commit messages.

[jeremyn]

Thanks, looks good. Can you fix the conflict yourself? The problem is that if I do it for you, then I'm supposed to get another reviewer to look at my changes, and that might take a while.

Also, can you please move the openbadges.es target between lists.es and jobs? The goal is to have the subdomains grouped together in sub-subdomain order. You can also combine the es subdomains in the securecookie like (hs|lists|openbadges)\.es .

[davidabian]

Some certificates have expired since this pull request was opened. Should we wait until they are renewed?

[Hainish]

It looks like this PR contains some domains that are HSTS preloaded: https://chromium.googlesource.com/chromium/src/net/+/refs/heads/master/http/transport_security_state_static.json
Looking now: wiki.python.org, www.python.org, pypi.python.org, doc.python.org, and console.python.org

Since these are rewritten to HTTPS by the browser itself, there is no need to include them in this ruleset. Removing them will cause the preload test to pass.

Thanks for contributing this! It's a big improvement.

[jeremyn]

@davidabian I updated the checklist through 13eaa5f and emailed the Python.org webmaster about their certificate. Let's give them a few days on that problem.

EDIT: I also added some new items to the checklist, sorry.

[jeremyn]

I've also added the HSTS preloaded domains that were mentioned in #5109 (comment) to the checklist.

[jeremyn]

The Python.org team has renewed their certificate for https://svn.python.org, so that's not a problem anymore.

[jeremyn]

@gloomy-ghost @J0WI Can one of you please review the small changes I made and then merge this?