Re: Bug#139710: first version of https support available
Pardon the interuption, as I just stumbled on this bug. I was
interested in implementing https as well. I have a few questions and
comments on this issue:
1) SSL is useless w/o certificate verification.
This isn't necassarily true. In the scenario where you have an internal
apt server to your organization, and you wish to use user/pass
authentication, SSL becomes very critical, and cert verification is not
as important, as you are on an internal network.
CA available for a private organization to verify their own internal
certs? ie, I trust myself, therefore I trust the certs I run on my own
internal systems.
A simple configuration option to apt.conf would take care of all
scenarios w/ https. If you had an option to "Verify Cert=Yes/No", you
can give system administrators a wide range of flexibility. Individuals
on an internal network can continue w/o error, but ppl hitting public
https servers could be warned (apt stops/continues ?) of an unverified
cert.
2) HTTPS never be accepted b/c of OpenSSL needing to be in main
How is OpenSSL (BSD style license) effected by the crypto in main
migration?
Matt Pavlovich
--
To UNSUBSCRIBE, email to deity-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: