[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#756022: ITP: apt-transport-s3 -- APT transport for privately held AWS S3 repositories

On Fri, Jul 25, 2014 at 03:00:17PM +0100, Marcin Kulisz (kuLa) wrote:
> * Package name    : apt-transport-s3

Note that this is only 'needed' for private S3, apt came to terms with
public S3 desperate its problems (like pipelining and decoding of '+')
– which this copy doesn't support, but see next section:

>   Version         : 20120426090326git
>   Upstream Author : Kyle Shank <kyle.shank@gmail.com>
> * URL             : https://github.com/kyleshank/apt-s3
> * License         : GPLv3

That is surprising to see. It seems to be a slightly modified 6 years
old copy of apt's http method (with all its bugs of course) which just
got 2 years ago GPLv3(+) headers.

APT itself (and the copied code, too) is GPL2+, which this copy avoids
mentioning as it doesn't tell you anything about being a copy (looking
at some of the forks and how they do the same to https, oh dear…) while
the copyright is claimed by the upstream author alone.

Slightly modified as the modification in s3.h is the addition of the
license header, while s3.cc goes the extra-mile of including openssl
(remember, I said GPL2+ – nothing about an OpenSSL exception) and curl
(no idea why, as it isn't used) to get SHA1 and Base64 encoding (which
is both already available in libapt anyway) to set a "Date:" and an
"Authorization: AWS" header for AWS while removing our "Authorization:
Basic" support. Oh, and it does change the user-agent from "Debian APT"
to "Ubuntu APT"… (and yes, I diff'ed that against an apt checkout from
that time as the history of upstream is non-existent).

I have the strong feeling that this could just as well be patched into
apt directly. Some of the forks (really, 77 forks? for this? apt has
a serious marketing problem…) suggest that a bunch of stuff could be
added, which I guess are not that okayish for apt directly, but I would
encourage you in any case to contact us at deity@lists.debian.org so we
can work out how to avoid a massive code-copy as this is (as shown here)
prune to get out of date and accumulate unfixed (security) bugs fast.

> deb s3://AWS_ACCESS_ID:[AWS_SECRET_KEY]@s3.amazonaws.com/BUCKETNAME wheezy main

btw: You don't need to write your credentials in a sources.list anymore
(which should be world-readable) if your apt is recent enough (and with
recent I mean at least oldstable). You can populate a netrc-like file at
/etc/apt/auth.conf with them (create it if you must and set for it the
permissions to your liking!).

Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

Reply to: