On Wed, Jun 28, 2017 at 2:00 AM, Julian Andres Klode <j...@debian.org> wrote: > Hi everyone, > > as we discussed before in IRC, we plan to eventually replace > our existing curl-based https method with our http method, > by adding TLS support to it. This will move HTTPS support > into apt proper, removing the apt-transport-https package. > > I'm not sure how long this will take, I hope we get something > useful next month. >
Great stuff! > > Implementation > ============== > I so far implemented basic https support using GnuTLS, including > SNI and certificate validation, and one (!) local CA file (as our > tests need that). The code is incredibly hacky right now. And > https->http redirects don't work yet. > I think this shouldn't work (at least by default). If https->http happens silently (not dying with an error or requiring a force option), that would make degradation happen while users think they are using HTTPS properly. Regards, Aron