Bug#992692: general: Use https for {deb,security}.debian.org by default

To: 992692@bugs.debian.org
Subject: Bug#992692: general: Use https for {deb,security}.debian.org by default
From: Ansgar <ansgar@43-1.org>
Date: Wed, 08 Sep 2021 15:56:14 +0200
Message-id: <[🔎] 0eb40ed8267e44023b2634992b3ad4e23ec10c2b.camel@43-1.org>
Reply-to: Ansgar <ansgar@43-1.org>, 992692@bugs.debian.org
In-reply-to: <[🔎] YTi9ppF2qlSjDfk8@alf.mars>
References: <[🔎] YS9EywR3MQKlBn47@alf.mars> <[🔎] 3be2fcffdc1187466bd56e19e61a405a51e6e936.camel@43-1.org> <[🔎] 87r1e82w28.fsf@hope.eyrie.org> <[🔎] 20210902102215.f99248e0ff859b8cc478128b@iijmio-mail.jp> <YTiZ2fipJll/LgKz@alf.mars> <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] ca14340e6210ef3779fb89e0f6fd151ce5e73622.camel@43-1.org> <YTikKFgV74s/TRoz@alf.mars> <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] 691e2c4d4ae713dd37c050ecd94fef12d4d94200.camel@43-1.org> <[🔎] YTi9ppF2qlSjDfk8@alf.mars> <162963701727.2536441.3655242380753523899.reportbug@tiny>

On Wed, 2021-09-08 at 15:41 +0200, Helmut Grohne wrote:
> On Wed, Sep 08, 2021 at 02:01:03PM +0200, Ansgar wrote:
> > So what do you suggest then? Tech-ctte as with merged-/usr? Or a
> > GR? Or
> > something else?
> 
> I propose that the proponents pay the cost. In this case, it is a bit
> unclear what that means precisely (which likely is the reason they
> haven't done it already). At the very least though, apt install
> auto-apt-proxy should continue to work on a default installation in a
> sensible way.

I can file a bug for auto-apt-proxy to include an apt.conf snippet
saying

  Acquire::https::Verify-Peer false;

That clearly makes it work again: you ask for auto-apt-proxy users to
have connections that can be impersonated by a man in the middle by
default. The above setting does that.

Not verifying certificates for some users seems better than having all
users not verify certificates (as no https is used at all).


> In
> the absence of reason not to use https, https should be preferred. As
> it
> happens, we figured a reason not to use https.

I can find a reason not to use https for any protocol (some sites want
to inspect/cache all traffic) :-)


Ansgar

Reply to:

Follow-Ups:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Michael Stone <mstone@debian.org>

References:
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>

Prev by Date: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Next by Date: Re: Require packages to build without any configured DNS
Previous by thread: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Next by thread: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread