[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

On Fri, Sep 10, 2021 at 12:00:57PM +0200, Timo Röhling wrote:
* Michael Stone <mstone@debian.org> [2021-09-08 19:25]:
I think the issue isn't certificate validation, it's that https proxy requests are made via CONNECT rather than GET. You could theoretically rewrite the proxy mechanism to MITM the CONNECT, but that wouldn't be a drop-in replacement. I suppose you could instead add an apt option to pass the https request to the proxy via GET instead of using CONNECT, but I think that also won't necessarily work on an existing proxy.
apt-cacher-ng has a second mode of operation where you can prefix
the source URL with the proxy URL, i.e.

deb http://proxyhost:3142/deb.debian.org/debian unstable main

Maybe we could introduce this as an "official" APT proxy mode, where
http(s)://REPO gets replaced by http://PROXY_URL/REPO (and the proxy
can decide whether or not to fetch via HTTPS as an implementation

I'd much rather see something more like I proposed earlier (splitting the selection of what suites/components to install from the policy of how to obtain them) rather than further layering+confusing these two concepts within sources.list.

Reply to: