[Aptitude-devel] Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https

Julien Cristau jcristau at debian.org
Fri Feb 14 07:15:06 UTC 2014

On Fri, Feb 14, 2014 at 08:02:16 +0100, Julian Andres Klode wrote:

> On Thu, Feb 13, 2014 at 10:28:08PM +0100, Raphael Geissert wrote:
> > First issue is that allowing any protocol switch would basically introduce a 
> > vulnerability in the system. There are too many apt methods and they could 
> > be reached by redirecting http://foo/request to $method://...
> I also would not want any redirects, especially not from https to
> something unsecured. But http -> https makes sense.
The https method *already* silently follows https→http redirects today,
as far as I can tell.  Just tried
apt-get -o Apt::Changelogs::Server=https://packages.debian.org/changelogs changelog tor
and I got the changelog from
The http method doesn't get involved, libcurl just does what
/usr/lib/apt/methods/https tells it to.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/aptitude-devel/attachments/20140214/f7bc138f/attachment.sig>

More information about the Aptitude-devel mailing list