These are chat archives for fiji/fiji
Deborah asked me for some more context regarding this discussion, so here are some more details, which hopefully helps more people to follow the conversation:
One issue with HTTPS + Java version is that only Java 1.8.0_101 and newer support SSL certs issued by the Let's Encrypt program. And all of the ImageJ websites use that program, because the SSL certs are automated and free.
However, Fiji shipped with Java 1.8.0_66 for quite some time. So older installations will not be new enough to use HTTPS URLs that reference update.imagej.net, update.fiji.sc or sites.imagej.net. Current Fiji bundles ship with Java 1.8.0_172, which will work.
One possibility is to simply require people to "just download a new Fiji". However, I am much more reluctant than he is to simply break the update feature for all older installations of Fiji. Or at least: I don't want to "silently" break it. I'd be OK with Fiji saying "Hey, your Java is old, you need a newer one if you want to use the Updater."
There is a chicken-and-egg problem too, regarding old versions of the Updater being hardcoded to HTTP and not supporting 301 redirects. Even if we add this Java version check... the instant we switch to force-HTTPS, older versions of Fiji will still break because they will try to reach out to http://update.imagej.net/ and will be told "301 redirected to https://update.imagej.net/" and then they will throw an exception. And even if they followed the redirect, they'd fail because they'd view the SSL certificate as invalid.
In my view, we need to continue honoring plain HTTP requests for a very long time, probably at least 3 more years. That said, if we add the Java version check, then at least people would get the latest versions of things, and subsequently (upon restart) be told that they should really now update their Java version because if they don't, they won't get secure updates.
There are also legacy installations of Fiji that use Java 6, and that certainly does not support HTTPS + Let's Encrypt either. To continue supporting the Fiji-Legacy update site, BoneJ1, 3D Viewer with Java 3D 1.5, and maybe other old things, we would need to continue allowing plain HTTP updates. An argument can be made that people wishing to use the Java-6 Fiji should download that version from the Fiji downloads page directly... but then I'd like to simply delete the Fiji-Legacy update site, since it becomes unusable.
Proposal: we chat tomorrow or on Monday... you explain me/us what is missing and how we could fix it. I’m not having a good overview of the status quo and clearly need this. Sounds reasonable?
As said multiple times. Happy to help as soon as possible. E.g. by having a chat with @frauzufall and myself tomorrow or on Monday. If we shall invest time we have at least to understand what to do, right?