On Tue, 6 Apr 2021 18:39:11 +1000 Trent W. Buck wrote: > Early discussion on this bug is "do we even want SSL?".
Hello Trent, thanks for following up on this wishlist bug report! I think the conclusion of the first part of this report was that SSL would be desirable, but not yet easy to achieve without licensing issues. > Please note this is now moot, as bugs.debian.org enforces SSL: [...] > Background reading: > > https://en.wikipedia.org/wiki/HSTS Thanks for the news. This means that apt-listbugs now unintentionally uses SSL. Let's leave things as they are, until OpenSSL v3.0.0 gets released and included in Debian unstable and testing. Please see [933252#10] for further details. [933252#10]: <https://bugs.debian.org/933252#10> > > > Boring context (you can ignore this): > > 1. apt-listbugs SOMETIMES breaks unattended-upgrades for me > (about 60% of the time), with this config: Sorry about that. > > Acquire::http::Proxy "http://apt-cacher-ng.cyber.com.au:3142"; > Acquire::https::Proxy "DIRECT"; [...] > UPDATE: apt-listbugs/0.1.35 ignores Acquire::https::Proxy entirely, > which sounds wrong: > > > https://salsa.debian.org/frx-guest/apt-listbugs/-/blob/master/lib/aptlistbugs/logic.rb#L268 The reason is that apt-listbugs is currently unaware of any SSL-related thing. So it looks at HTTP proxy settings, not HTTPS ones... > > 3. The documented workaround sounds silly, because I already set > a blanket DIRECT for https: > > > https://salsa.debian.org/frx-guest/apt-listbugs/-/blob/master/FAQ.md#how-can-i-use-apt-listbugs-with-apt-cacherapt-cacher-ng-proxies > > UPDATE: since Acquire::https::Proxy is ignored, I guess I have > to do this. Blech. Probably you have, for the time being. I admit that having to add one more configuration line sucks a bit, but... please bear with apt-listbugs, which currently knows nothing about SSL! Have you tried this workaround? I hope it can solve your unattended-upgrade issues. > > 4. Since bugs.debian.org already forces TLS (due to HSTS), > surely I just change the URL from http:// to https://? [...] > Looks like it's not even starting from a URL, but rather a hostname and > a port number: > > > https://salsa.debian.org/frx-guest/apt-listbugs/-/blob/master/lib/aptlistbugs/logic.rb#L95 Correct, apt-listbugs currently builds the URL from hostname and port, automatically adding the protocol part ("http://") and the rest... > > 5. I found this bug where people are bikeshedding the moral hazards > of condoning SSL. > I get annoyed. I think that potential licensing incompatibilities are serious issues that really have to be taken into account. I don't consider paying attention to them as "bikeshedding". Anyway, I appreciate your contribution (I wasn't aware of HSTS). Let's hope that OpenSSL v3.0.0 gets released soon, so that we can make use of it (after Debian bullseye is out, of course!). Bye! :-) -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpjs4UW2ytu0.pgp
Description: PGP signature