Bug#212732: Bug#427909: Bug#212732: support redirects and interactive authentication (Progeny)

[Anthony Towns <aj@azure.humbug.org.au>]

On Fri, Jan 30, 2009 at 09:14:54PM +0100, Michael Vogt wrote:
> On Sun, Dec 21, 2008 at 10:45:13PM +1000, Anthony Towns wrote:
> > Attached is a patch against apt 0.7.19 (current in lenny/sid)
> > including just the Redirect support from Jeff Licquia's patch in
> > Bug#212732. 
> Thanks a lot for this, I merged it into my bzr tree and it will be
> part of the next merge into debian (experimental initially). 

Great!

> > As far as the issues described in Bug#66434 with bad redirection [...]
> One possible issue I can see is that consistency may become a
> issue. If the server that redirects does that to mirrors that are not
> in sync and the Release file comes from A but the Packages file from B
> users may run into hashsum failures. 

Yup; that'll be caught and give an error though. I presume the most
likely use will be either redirecting all requests -- in which case
synchronisation isn't an issue; or redirecting pool/ but not dists/ -- in
which case 404s are the only risk, I can see, and seems reasonably minor.

> I can not think of any security concerns about the patch, the
> signature and hashsum code should protect us here to the extend
> possible. 

Yup, that matches my understanding.

Cheers,
aj