Re: Pre-approval for apt 0.7.21: "Valid-Until" feature and proxy changes
Eugene V. Lyubimkin wrote:
> Hello Thijs,
> hello FTP masters, please see problem 2) below...
> Thijs Kinkhorst wrote:
>>> However, it seems there is no better solution, or is there?
>> Why are we trying to invent something new here, with Valid-Until? The problem
>> is that we want to ensure that the Release file of the security archive is
>> actually provided by that archive and not by a man in the middle. That
>> problem has already been solved: use https. If apt would get the release file
>> over https from the security archive it would know it is the right one. The
>> rest of the downloads can then happen over http. Of course this needs APT to
>> have some notion of what a valid certificate is for security.debian.org; that
>> could be addressed by adding it to the debian-archive-keyring package.
> This makes sense for me, but may introduce some problems...
> 1) insert apt-transport-https and all its deps into base system (libcurl,
> kerberos etc.)
> 2) Release and Release.gpg, installed on security.debian.org, should be
> somehow synchronized with at least all official Debian mirrors, I don't know
> how hard it would be to insert this move into archive infrastructure (ftp
> masters CC'ed)
> 3) needs some hardcoded black magic in APT - if user has an entry
> 'deb http://abc.def.edu/debian lenny main'
> in sources.list, how can we know whether it is an official Debian archive and
> do we need to pick Release file from 'https://security.debian.org' or from
> host itself?..
2) and 3) are moot AFAICS as the user has no choice in what to put in
sources.list for the security archive. 1) doesn't have to be mandatory
for Lenny IMHO, just possible for interesting parties who want to try it
already. We probably should discuss this after Lenny and maybe even test