Re: Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https

To: Julien Cristau <jcristau@debian.org>
Cc: Julian Andres Klode <jak@debian.org>, Raphael Geissert <geissert@debian.org>, David Kalnischkies <david@kalnischkies.de>, 738785@bugs.debian.org, apt@packages.debian.org
Subject: Re: Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
From: Michael Vogt <mvo@debian.org>
Date: Fri, 14 Feb 2014 19:45:54 +0100
Message-id: <[🔎] 20140214184554.GE7858@bod>
In-reply-to: <[🔎] 20140214071506.GG17725@betterave.cristau.org>
References: <201402122330.41267.geissert@debian.org> <[🔎] 20140213185238.GC17725@betterave.cristau.org> <[🔎] 20140213210737.GA5490@crossbow> <[🔎] 201402132228.08886.geissert@debian.org> <[🔎] 20140214075929.GA14994@debian.org> <[🔎] 20140214071506.GG17725@betterave.cristau.org>

On Fri, Feb 14, 2014 at 08:15:06AM +0100, Julien Cristau wrote:
> On Fri, Feb 14, 2014 at 08:02:16 +0100, Julian Andres Klode wrote:
> > On Thu, Feb 13, 2014 at 10:28:08PM +0100, Raphael Geissert wrote:
> > > First issue is that allowing any protocol switch would basically introduce a 
> > > vulnerability in the system. There are too many apt methods and they could 
> > > be reached by redirecting http://foo/request to $method://...
> > 
> > I also would not want any redirects, especially not from https to
> > something unsecured. But http -> https makes sense.
> > 
> The https method *already* silently follows https→http redirects today,
> as far as I can tell.  Just tried
> apt-get -o Apt::Changelogs::Server=https://packages.debian.org/changelogs changelog tor
> and I got the changelog from
> http://metadata.ftp-master.debian.org/changelogs/main/t/tor/tor_0.2.4.20-1_changelog
> The http method doesn't get involved, libcurl just does what
> /usr/lib/apt/methods/https tells it to.

Indeed, thanks for this report. This is fixed in git now, apt will not
follow redirects from https->http anymore.

Cheers,
 Michael

Reply to:

References:
- Re: Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
  - From: Julien Cristau <jcristau@debian.org>
- Re: Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
  - From: David Kalnischkies <david@kalnischkies.de>
- Re: Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
  - From: Raphael Geissert <geissert@debian.org>
- Re: Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
  - From: Julian Andres Klode <jak@debian.org>
- Re: Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#677587: marked as done (apt net-update does not check subkeys for collisions)
Next by Date: Bug#738880: apt-get uses globbing but reports regex for selecting packages + documentation issues
Previous by thread: Re: Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
Next by thread: Re: [Aptitude-devel] Bug#738785: aptitude: (remote) changelogs is broken after packages.d.o move to https
Index(es):
- Date
- Thread