Re: Bug#992692: general: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org
Subject: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
From: Michael Stone <mstone@debian.org>
Date: Fri, 10 Sep 2021 07:56:07 -0400
Message-id: <[🔎] b318471a-122d-11ec-9b6a-00163eeb5320@msgid.mathom.us>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20210910100057.akpktznzbcoxeuqz@mail.gaussglocke.de>
References: <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] ca14340e6210ef3779fb89e0f6fd151ce5e73622.camel@43-1.org> <YTikKFgV74s/TRoz@alf.mars> <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] 691e2c4d4ae713dd37c050ecd94fef12d4d94200.camel@43-1.org> <[🔎] YTi9ppF2qlSjDfk8@alf.mars> <162963701727.2536441.3655242380753523899.reportbug@tiny> <[🔎] 0eb40ed8267e44023b2634992b3ad4e23ec10c2b.camel@43-1.org> <[🔎] 65ac5d24-10fa-11ec-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] 20210910100057.akpktznzbcoxeuqz@mail.gaussglocke.de>

On Fri, Sep 10, 2021 at 12:00:57PM +0200, Timo Röhling wrote:

* Michael Stone <mstone@debian.org> [2021-09-08 19:25]:
I think the issue isn't certificate validation, it's that httpsproxy requests are made via CONNECT rather than GET. You couldtheoretically rewrite the proxy mechanism to MITM the CONNECT, butthat wouldn't be a drop-in replacement. I suppose you could insteadadd an apt option to pass the https request to the proxy via GETinstead of using CONNECT, but I think that also won't necessarilywork on an existing proxy.
apt-cacher-ng has a second mode of operation where you can prefix
the source URL with the proxy URL, i.e.

deb http://proxyhost:3142/deb.debian.org/debian unstable main

Maybe we could introduce this as an "official" APT proxy mode, where
http(s)://REPO gets replaced by http://PROXY_URL/REPO (and the proxy
can decide whether or not to fetch via HTTPS as an implementation
detail)?

I'd much rather see something more like I proposed earlier (splitting theselection of what suites/components to install from the policy of how toobtain them) rather than further layering+confusing these two conceptswithin sources.list.

Reply to:

References:
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>
- Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Michael Stone <mstone@debian.org>
- Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
  - From: Timo Röhling <roehling@debian.org>

Prev by Date: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Next by Date: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Previous by thread: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Next by thread: Re: Bug#992692: general: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread