* Michael Stone <mstone@debian.org> [2021-09-08 19:25]:
I think the issue isn't certificate validation, it's that https
proxy requests are made via CONNECT rather than GET. You could
theoretically rewrite the proxy mechanism to MITM the CONNECT, but
that wouldn't be a drop-in replacement. I suppose you could instead
add an apt option to pass the https request to the proxy via GET
instead of using CONNECT, but I think that also won't necessarily
work on an existing proxy.
apt-cacher-ng has a second mode of operation where you can prefix
the source URL with the proxy URL, i.e.
deb http://proxyhost:3142/deb.debian.org/debian unstable main
Maybe we could introduce this as an "official" APT proxy mode, where
http(s)://REPO gets replaced by http://PROXY_URL/REPO (and the proxy
can decide whether or not to fetch via HTTPS as an implementation
detail)?