[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

Hallo,
* Michael Stone [Wed, Sep 08 2021, 07:25:26PM]:
> On Wed, Sep 08, 2021 at 03:56:14PM +0200, Ansgar wrote:
> > On Wed, 2021-09-08 at 15:41 +0200, Helmut Grohne wrote:
> > > On Wed, Sep 08, 2021 at 02:01:03PM +0200, Ansgar wrote:
> > > > So what do you suggest then? Tech-ctte as with merged-/usr? Or a
> > > > GR? Or
> > > > something else?
> > >
> > > I propose that the proponents pay the cost. In this case, it is a bit
> > > unclear what that means precisely (which likely is the reason they
> > > haven't done it already). At the very least though, apt install
> > > auto-apt-proxy should continue to work on a default installation in a
> > > sensible way.
> >
> > I can file a bug for auto-apt-proxy to include an apt.conf snippet
> > saying
> >
> >  Acquire::https::Verify-Peer false;
> >
> > That clearly makes it work again
>
> I think the issue isn't certificate validation, it's that https proxy
> requests are made via CONNECT rather than GET. You could theoretically
> rewrite the proxy mechanism to MITM the CONNECT, but that wouldn't be a
> drop-in replacement. I suppose you could instead add an apt option to pass
> the https request to the proxy via GET instead of using CONNECT, but I think

Precisely. Current handling of HTTPS on a caching proxy is either
impossible or PITA for the user, as long as a such mixed behavior is not
configurable.  apt-cacher-ng works around that by telling users to
disguise https URLs as HTTP with a special marker for protocol switch
(ugly, I know).

Also keep in mind that it off-loads the encryption work to the proxy,
but that might be even intentional.

> that also won't necessarily work on an existing proxy.

Speaking at least for ACNG, my assumption was that it would support that
but I was wrong. TODO created,
https://salsa.debian.org/blade/apt-cacher-ng/-/issues/11 .

> If we're imagining apt options, something like
> Acquire::https::Force-Proxy-HTTP true;
> would probably be more useful for this specific case (not that I think it's
> a great idea--too much potential for surprise).

I would make it a list of trusted proxy hosts and a special value ALL.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994032 created.

Best regards,
Eduard.
Reply to: