[Aptitude-devel] Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
mvo at debian.org
Fri Feb 14 18:45:54 UTC 2014
On Fri, Feb 14, 2014 at 08:15:06AM +0100, Julien Cristau wrote:
> On Fri, Feb 14, 2014 at 08:02:16 +0100, Julian Andres Klode wrote:
> > On Thu, Feb 13, 2014 at 10:28:08PM +0100, Raphael Geissert wrote:
> > > First issue is that allowing any protocol switch would basically introduce a
> > > vulnerability in the system. There are too many apt methods and they could
> > > be reached by redirecting http://foo/request to $method://...
> > I also would not want any redirects, especially not from https to
> > something unsecured. But http -> https makes sense.
> The https method *already* silently follows https→http redirects today,
> as far as I can tell. Just tried
> apt-get -o Apt::Changelogs::Server=https://packages.debian.org/changelogs changelog tor
> and I got the changelog from
> The http method doesn't get involved, libcurl just does what
> /usr/lib/apt/methods/https tells it to.
Indeed, thanks for this report. This is fixed in git now, apt will not
follow redirects from https->http anymore.
More information about the Aptitude-devel