Re: [Bug-wget] 'Saving HSTS entries to' bug

[Ander Juaristi]

Hi,

I would leave it unchanged. For me this is a WONTFIX, for the following
reasons:

 1. The message is only printed when debug output (-d) is enabled. That
is disabled by default. Any user who enables it is expected to be wise
enough to know how to interpret the output, or at least treat it with care.
 2. Solving this would require checking whether the scheme is 'ftp://'
and in the case of HTTP(S), further checking whether the
Strict-Transport-Security header was set (in the case of HTTPS), or we
were redirected to the HTTPS entry point of the site and that entry
point sets it. This adds extra unnecessary complexity for the single
reason of hiding an output that only appears in debug mode. IMO it does
not pay off.
 3. The HSTS file is read at the beginning, and written at the end. That
is the best way of doing it, and the way other UAs work. A simpler
solution than that proposed at point 2 would require putting the HSTS
load/save routines in other place, maybe checking them on a per-URL
basis. This also does not pay off IMO.

The best 'fix' that comes to my mind is a compromise. Don't remove the
message (for the reasons mentioned), but print how many HSTS entries
have been read/updated/written. Something like:

Saving HSTS entries to /home/strunk/.wget-hsts (read: 1, updated: 0)

I would do either this or nothing. Tell me if this is acceptable.

On 21/05/16 11:21, address@hidden wrote:
> this is displayed on every run even with hosts that have no HSTS, and
> with FTP and HTTP hosts.
> 
> the savannah 'bug submit' is broken.
> 
> 

Best regards,

- AJ