On Sat, Aug 21, 2021 at 12:04:32PM +0100, Phil Morrell wrote: > On Sat, Aug 21, 2021 at 10:40:32AM +0200, Wouter Verhelst wrote: > > On Fri, Aug 20, 2021 at 07:20:22PM +0000, Jeremy Stanley wrote: > > > Yes transparent proxies or overridden DNS lookups could be used to > > > direct deb.debian.org and security.debian.org to your alternative > > > location, > > > > I've been thinking for a while that we should bake a feature in apt > > whereby a network administrator can indicate somehow that there is a > > local apt mirror and that apt should use that one in preference to > > deb.debian.org. > > This already exists in the form of an avahi service announcement for > _apt_proxy._tcp, issued by both squid-deb-proxy and apt-cacher-ng. > Literally the only thing needed client-side is installation of > squid-deb-proxy-client […] That will instruct apt to use the proxy to connect to the internet, but this is quite literal in meaning: apt will perform a CONNECT request establishing a tunnel between itself and the remote server via the proxy effectively by-passing any functionality the proxy would provide if we wouldn't connect to the remote with https (as with http apt would just issue GET requests to the proxy it could interact with). apt can't just downgrade https to http if it knows about a proxy, especially if that knowledge is provided by external potentially untrusted sources. To do that we would need to at least ask the user interactively if its okay to send the requests unencrypted to the proxy. There is precedence with cdrom asking the user interactively to change CDs if needed, so it isn't an entirely new concept, but libapt has no generic question-asking code and cdrom is a cake walk compared to the monster that is our http(s) implementation, so that is still a non- trivial amount of code someone would need to write. Also in the libapt front ends as you still need at least a bit of UI to actually expose the question to the user. Depending on how much control you have over the clients it might be a lot easier to work with the mirror method. It can be (ab)used for a lot more than most people give it credit for (Disclaimer: As I wrote the current incarnation, I might be a *tiny bit* biased). That isn't helping of course if you have no control at all over the clients as you need some form of opt in at least. So far, that opt in was using http. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature