[Aptitude-devel] Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
Raphael Geissert
geissert at debian.org
Thu Feb 13 21:28:08 UTC 2014
On Thursday 13 February 2014 22:07:37 David Kalnischkies wrote:
> On Thu, Feb 13, 2014 at 07:52:38PM +0100, Julien Cristau wrote:
> > On Thu, Feb 13, 2014 at 10:27:47 +0100, Raphael Geissert wrote:
> > > On 13 February 2014 00:26, Julien Cristau <jcristau at debian.org>
> > > wrote:
[...]
> > > > // Do not allow a redirection to switch protocol
> > > > - if (tmpURI.Access == "http")
[...]
> > > > return TRY_AGAIN_OR_REDIRECT;
[...]
> > > Yes, that's intentional as you should really not switch between
> > > protocols.
> >
> > I'm afraid I don't understand where this comes from. I don't think
> > redirecting from http to https is all that unreasonable?
>
> It isn't unreasonable by itself, but less than 1% of popcon users
> have the https client installed, so it will usually not work.
> (and as Raphael mentioned it was not possible at all until not too
> long, so this check is also a 'lets not change too much in one go')
>
> I am working on it now that the code can switch the protocol (at least
> from http to https, but not to other protocols).[...]
First issue is that allowing any protocol switch would basically introduce a
vulnerability in the system. There are too many apt methods and they could
be reached by redirecting http://foo/request to $method://...
Any protocol switch should also be backed by a policy decision, IMO.
> Anyway: As said, basically nobody has the https method installed, so we
> either have to force it on everyone or we need the service to continue
> to provide the changelog over http for apts http client.
I'd rather see aptitude call curl(1) to fetch it and just add a Recommends,
or even just a Suggests.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the Aptitude-devel
mailing list