[Aptitude-devel] Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https

Julian Andres Klode jak at debian.org
Fri Feb 14 07:02:16 UTC 2014

On Thu, Feb 13, 2014 at 10:28:08PM +0100, Raphael Geissert wrote:
> First issue is that allowing any protocol switch would basically introduce a 
> vulnerability in the system. There are too many apt methods and they could 
> be reached by redirecting http://foo/request to $method://...

I also would not want any redirects, especially not from https to
something unsecured. But http -> https makes sense.

> Any protocol switch should also be backed by a policy decision, IMO.
> > Anyway: As said, basically nobody has the https method installed, so we
> > either have to force it on everyone or we need the service to continue
> > to provide the changelog over http for apts http client.
> I'd rather see aptitude call curl(1) to fetch it and just add a Recommends, 
> or even just a Suggests.

curl does not make that much sense. APT's https method is curl based as
well, and both are not installed usually, so there's no large difference,
except that using curl(1) is ugly.

Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Please do not top-post if possible.

More information about the Aptitude-devel mailing list