[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes

Hello Thijs,
hello FTP masters, please see problem 2) below...

Thijs Kinkhorst wrote:
>> However, it seems there is no better solution, or is there?
> Why are we trying to invent something new here, with Valid-Until? The problem 
> is that we want to ensure that the Release file of the security archive is 
> actually provided by that archive and not by a man in the middle. That 
> problem has already been solved: use https. If apt would get the release file 
> over https from the security archive it would know it is the right one. The 
> rest of the downloads can then happen over http. Of course this needs APT to 
> have some notion of what a valid certificate is for security.debian.org; that 
> could be addressed by adding it to the debian-archive-keyring package.
This makes sense for me, but may introduce some problems...

1) insert apt-transport-https and all its deps into base system (libcurl,
kerberos etc.)
2) Release and Release.gpg, installed on security.debian.org, should be
somehow synchronized with at least all official Debian mirrors, I don't know
how hard it would be to insert this move into archive infrastructure (ftp
masters CC'ed)
3) needs some hardcoded black magic in APT - if user has an entry

'deb http://abc.def.edu/debian lenny main'

in sources.list, how can we know whether it is an official Debian archive and
do we need to pick Release file from 'https://security.debian.org' or from
host itself?..

Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ Developer, Debian Maintainer, APT contributor

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: