Re: Replacing apt's http method (dropping curl)

To: deity@lists.debian.org, debian developers <debian-devel@lists.debian.org>
Subject: Re: Replacing apt's http method (dropping curl)
From: Aron Xu <aron@debian.org>
Date: Wed, 28 Jun 2017 03:42:14 +0800
Message-id: <[🔎] CAMr=8w5SfHr9vErPCyZhttEFnzm44JnktSzqiynGUb2+qzau8Q@mail.gmail.com>
In-reply-to: <[🔎] 20170627194055.GA8639@debian.org>
References: <[🔎] 20170627194055.GA8639@debian.org>

On Wed, Jun 28, 2017 at 2:00 AM, Julian Andres Klode <jak@debian.org> wrote:
> Hi everyone,
>
> as we discussed before in IRC, we plan to eventually replace
> our existing curl-based https method with our http method,
> by adding TLS support to it. This will move HTTPS support
> into apt proper, removing the apt-transport-https package.
>
> I'm not sure how long this will take, I hope we get something
> useful next month.
>

Great stuff!

>
> Implementation
> ==============
> I so far implemented basic https support using GnuTLS, including
> SNI and certificate validation, and one (!) local CA file (as our
> tests need that). The code is incredibly hacky right now. And
> https->http redirects don't work yet.
>

I think this shouldn't work (at least by default). If https->http
happens silently (not dying with an error or requiring a force
option), that would make degradation happen while users think they are
using HTTPS properly.

Regards,
Aron

Reply to:

Follow-Ups:
- Re: Replacing apt's http method (dropping curl)
  - From: Julian Andres Klode <jak@debian.org>

References:
- Replacing apt's http method (dropping curl)
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Replacing apt's http method (dropping curl)
Next by Date: Re: Replacing apt's http method (dropping curl)
Previous by thread: Replacing apt's http method (dropping curl)
Next by thread: Re: Replacing apt's http method (dropping curl)
Index(es):
- Date
- Thread