[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes

Hello release folks!

APT team has prepared two important changes in apt, please give us a decision(s) whether
are they appropriate for Lenny or not.

Change #1 aka "Valid-Until for preventing replay attacks"

Motivation of this change is bug #499897, "preventing replay attacks against the security
archive" [1]. Summary of change:

1. Add the support for the Valid-Until header in the Release file.
2. Add Acquire::Max-Default-Age configuration option that defaults to 7 days for

The result of change: APT will refuse to use too outdated Release file at the earliest
'update' action after Release expiry. The possible attacker will not allowed to ship the
same outdated Release (so outdated Packages too) after the date in 'Valid-Until' entry in
Release file, preventing the attack. In case of absence of this field in Release file,
option "Acquire::Max-Default-Age::Debian-security" will be used. The default number of
days for this option, "7", is discussible, of course.

Change #2 aka "Stop the mess with proxy settings in APT"

Motivation: set of bug reports [2][3][4][5][6] saying that proxy settings in apt is quite
a mess and counter-intuitive. Main fault was treating http_proxy and ftp_proxy environment
variables as more priority ones than APT's Acquire::{ftp,http}::Proxy[::host] settings.
Moreover, https proxy setting had a strange bug regarding http_proxy is set or not, and
some proxy info was discarded at all.

The change unifies proxy settings behavior, removes a mess, and tries to document new
behavior clearly.

debian/NEWS file contains following entry regarding this change:

apt (0.7.21) unstable; urgency=low

  * Code that determines which proxy to use was changed. Now
    'Acquire::{http,ftp}::Proxy[::<host>]' options have the highest priority,
    and '{http,ftp}_proxy' environment variables are used only if options
    mentioned above are not specified.

, that describes change and its consequences. Appropriate documentation updates for
apt.conf(5) included too.


The apt 0.7.21~exp1 that contains these two changes (over 0.7.20), just uploaded to

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=157759
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320174
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365880
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445985
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479617

Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ developer, Debian Maintainer, APT contributor

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: