Re: apt config options to specify the CA of the https repository?

To: debian-user@lists.debian.org
Subject: Re: apt config options to specify the CA of the https repository?
From: Vincent Lefevre <vincent@vinc17.net>
Date: Sun, 21 Sep 2025 23:51:17 +0200
Message-id: <[🔎] 20250921215117.GB346166@qaa.vinc17.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 370dddc6-9701-11f0-8000-00163eeb5320@msgid.mathom.us>
References: <[🔎] AS8PR01MB7462042C1B6C2FF7E4DDA39F8511A@AS8PR01MB7462.eurprd01.prod.exchangelabs.com> <[🔎] CAH8yC8nwozem7-02CTq_v2C0wbtwTiPk3VBeStUC2WyznR1Fhw@mail.gmail.com> <[🔎] 20250921170954.GA215607@joooj.vinc17.net> <[🔎] 24ed4e32-96fd-11f0-8000-00163eeb5320@msgid.mathom.us> <[🔎] 20250921173234.GA346166@qaa.vinc17.org> <[🔎] 370dddc6-9701-11f0-8000-00163eeb5320@msgid.mathom.us>

On 2025-09-21 13:46:57 -0400, Michael Stone wrote:
> On Sun, Sep 21, 2025 at 07:32:34PM +0200, Vincent Lefevre wrote:
> > On 2025-09-21 13:11:28 -0400, Michael Stone wrote:
> > > On Sun, Sep 21, 2025 at 07:09:54PM +0200, Vincent Lefevre wrote:
> > > > With HTTP, connections can be redirected to a repository with
> > > > obsolete, vulnerable packages.
> > > 
> > > No they can't, there's a signed timestamp in the metadata and apt will warn
> > > if the repository isn't up to date.
> > 
> > There's no mention of such a timestamp there:
> > 
> > https://www.reddit.com/r/linux/comments/aidxwa/why_does_apt_not_use_https/
> 
> well, I don't really care about a random reddit thread ¯\_(ツ)_/¯
> 
> https://wiki.debian.org/DebianRepository/Format

Do you mean the Valid-Until field?

But it is said: "Client behaviour on expired Release files is
unspecified."

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: apt config options to specify the CA of the https repository?
  - From: Michael Stone <mstone@debian.org>

References:
- apt config options to specify the CA of the https repository?
  - From: Harald Dunkel <harald.dunkel@aixigo.com>
- Re: apt config options to specify the CA of the https repository?
  - From: Jeffrey Walton <noloader@gmail.com>
- Re: apt config options to specify the CA of the https repository?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: apt config options to specify the CA of the https repository?
  - From: Michael Stone <mstone@debian.org>
- Re: apt config options to specify the CA of the https repository?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: apt config options to specify the CA of the https repository?
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Laptop resumes each 1h13 after suspend-to-ram
Next by Date: Re: Help with my question, please.
Previous by thread: Re: apt config options to specify the CA of the https repository?
Next by thread: Re: apt config options to specify the CA of the https repository?
Index(es):
- Date
- Thread