[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Replacing apt's http method (dropping curl)

On Wed, Jun 28, 2017 at 03:42:14AM +0800, Aron Xu wrote:
> On Wed, Jun 28, 2017 at 2:00 AM, Julian Andres Klode <jak@debian.org> wrote:
> > Hi everyone,
> >
> > as we discussed before in IRC, we plan to eventually replace
> > our existing curl-based https method with our http method,
> > by adding TLS support to it. This will move HTTPS support
> > into apt proper, removing the apt-transport-https package.
> >
> > I'm not sure how long this will take, I hope we get something
> > useful next month.
> >
> 
> Great stuff!
> 
> >
> > Implementation
> > ==============
> > I so far implemented basic https support using GnuTLS, including
> > SNI and certificate validation, and one (!) local CA file (as our
> > tests need that). The code is incredibly hacky right now. And
> > https->http redirects don't work yet.
> >
> 
> I think this shouldn't work (at least by default). If https->http
> happens silently (not dying with an error or requiring a force
> option), that would make degradation happen while users think they are
> using HTTPS properly.

Sorry, I of course meant: Does not fail correctly. It just hangs. I'm
currently rewriting the stuff, the second version should be cleaner and
hopefully fix this issue.

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.
Reply to: