Bug#859930: apt-transport-https: Add http/2 support

To: Kurt Roeckx <kurt@roeckx.be>
Cc: 859930@bugs.debian.org
Subject: Bug#859930: apt-transport-https: Add http/2 support
From: Julian Andres Klode <jak@debian.org>
Date: Mon, 10 Apr 2017 13:39:42 +0200
Message-id: <[🔎] 20170410132633.GA2598@debian.org>
Mail-followup-to: Julian Andres Klode <jak@debian.org>, Kurt Roeckx <kurt@roeckx.be>, 859930@bugs.debian.org
Reply-to: Julian Andres Klode <jak@debian.org>, 859930@bugs.debian.org
In-reply-to: <[🔎] 20170409133526.ej5sb4w2py4qukti@roeckx.be>
References: <[🔎] 20170409115203.k5gkkqc5gmnj6tho@roeckx.be> <[🔎] 20170409144627.GA1668@debian.org> <[🔎] 20170409133526.ej5sb4w2py4qukti@roeckx.be>

Control: tags -1 - wontfix

On Sun, Apr 09, 2017 at 03:35:26PM +0200, Kurt Roeckx wrote:
> On Sun, Apr 09, 2017 at 02:53:17PM +0200, Julian Andres Klode wrote:
> > Control: tag -1 wontfix
> > 
> > On Sun, Apr 09, 2017 at 01:52:03PM +0200, Kurt Roeckx wrote:
> > > Package: apt-transport-https
> > > Severity: wishlist
> > > 
> > > Hi,
> > > 
> > > Can you add http/2 support?
> > 
> > I'd assume that it currently has http/2 support, as it's using
> > curl. If so, that will likely be dropped in the next release
> > cycle, if we add TLS support to the http method.
> 
> It's doing ALPN, but it's only sending http/1.1 in it. It's not
> offering h2 by default. On the other hand when I use "curl" it
> does use h2. I don't think the library enables it by default.

I think we need to 
  curl_easy_setopt(curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0);
somewhere in methods/https.cc.

Not sure if we need to change anything else. I suggest you go
play with it and check if that works. If that is all that is
needed and we need a new update for stretch, we might be able
to include that line.

> 
> > I don't think we want to implement http/2 support in apt at
> > all - implementing the binary framing, multiplexing, header
> > compression, and all the other stuff is a lot of work.
> 
> I didn't suggest you write it yourself.

The reason why we don't pull in https by default is because
curl has too many dependencies. We need a very lightweight
implementation of things (and we also need a server for
integration tests, not just a client).

Oh, there is libnghttp2 that could be used, it only depends
on libc6.

That said, the first step is to get rid of the curl based
https method for buster, and offer https transport directly
in the apt package.

I think once we have added the TLS support to the http method, 
we can think about adding http2 via a library (as in: patches are
welcome then, I'm not sure http2 support is something we ourselves
are interested in, there are a lot of other issues).

> 
> > I don't think there is anything to gain from HTTP/2 support
> > - we don't fetch small files, so all the multiplexing, binary
> > framing, and header compression is basically irrelevant.
> 
> I guess my main motivation for asking for this is to try and do
> something about traffic analysis, and I think you can make it
> harder using http/2.

Hmm, OK.

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

Reply to:

References:
- Bug#859930: apt-transport-https: Add http/2 support
  - From: Kurt Roeckx <kurt@roeckx.be>
- Bug#859930: apt-transport-https: Add http/2 support
  - From: Julian Andres Klode <jak@debian.org>
- Bug#859930: apt-transport-https: Add http/2 support
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Processed: Re: Bug#859930: apt-transport-https: Add http/2 support
Next by Date: Re: [buildd-tools-devel] Bug#859866: sbuild transiently fails stating apt-get update failed
Previous by thread: Bug#859930: apt-transport-https: Add http/2 support
Next by thread: Processed: Re: Bug#859930: apt-transport-https: Add http/2 support
Index(es):
- Date
- Thread