[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#771896: apt-transport-https must depend on ca-certificates



On Thursday 04 December 2014 02:35 AM, David Kalnischkies wrote:
> You are assuming that each and everyone is using -https with
> a certificate anchored by the big CA guys contained in the
> ca-certificate package.
> That isn't required though. There is no problem in using a self-signed
> certificate or to pin to a specific CA for example.

The normal practice is to use a CA signed certificate and people with
such a certificate expect it to work out of the box. While people using
self signed certificate know they will need additional steps to make
things work.

And with people.debian.org serving only https, this would be more common
issue.

While I also don't agree with the CA certificate model, that is a
different problem to solve.

> In other words: It is at most a Recommends and not Depends.
> 
> 
> And while it might not hurt[0] to add it to -https, we depend on
> libcurl3-gnutls, which itself recommends ca-certificates, so you already
> get it if you haven't choosen to be unusual (= disabled recommends).

There was nothing unsual in this configuration. I ran

pbuilder create --distribution jessie
pbuilder login

and used apt-get install apt-transport-https

I think aptitude would have installed ca-certificates.

> In other words: No need to fix that for jessie - as the release team has
> already ruled with the severity downgrade.
> 
> 
> [0] Now, one last bit: fix the bug after jessie or not?
> Well, -https doesn't use ca-certificates directly. It uses curl which
> uses it, but we don't explicitly request it: It is just their default
> and I would argue that it is more their task to "work out of the box"
> than it is ours to make that happen – and they do, so if we do it as
> well we achieve nothing, but risk that this becomes obsolete (or worse)
> if they change their default to something else.

that is reasonable.

> So, all things combined: Closing as not a bug. 

Since I already found a work around of installing ca-certificates
manually I won't push it further.

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: