[Aptitude-devel] Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https

Raphael Geissert geissert at debian.org
Thu Feb 13 21:28:08 UTC 2014

On Thursday 13 February 2014 22:07:37 David Kalnischkies wrote:
> On Thu, Feb 13, 2014 at 07:52:38PM +0100, Julien Cristau wrote:
> > On Thu, Feb 13, 2014 at 10:27:47 +0100, Raphael Geissert wrote:
> > > On 13 February 2014 00:26, Julien Cristau <jcristau at debian.org>
> > > wrote:
> > > >           // Do not allow a redirection to switch protocol
> > > > -         if (tmpURI.Access == "http")
> > > >              return TRY_AGAIN_OR_REDIRECT;
> > > Yes, that's intentional as you should really not switch between
> > > protocols.
> > 
> > I'm afraid I don't understand where this comes from.  I don't think
> > redirecting from http to https is all that unreasonable?
> It isn't unreasonable by itself, but less than 1% of popcon users
> have the https client installed, so it will usually not work.
> (and as Raphael mentioned it was not possible at all until not too
>  long, so this check is also a 'lets not change too much in one go')
> I am working on it now that the code can switch the protocol (at least
> from http to https, but not to other protocols).[...]

First issue is that allowing any protocol switch would basically introduce a 
vulnerability in the system. There are too many apt methods and they could 
be reached by redirecting http://foo/request to $method://...

Any protocol switch should also be backed by a policy decision, IMO.

> Anyway: As said, basically nobody has the https method installed, so we
> either have to force it on everyone or we need the service to continue
> to provide the changelog over http for apts http client.

I'd rather see aptitude call curl(1) to fetch it and just add a Recommends, 
or even just a Suggests.

Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

More information about the Aptitude-devel mailing list