On Thu, 2021-04-29 at 18:31 +0200, Francesco Poli wrote: > But the fact is: I am not sure. > ;-)
> I am under the impression that ruby-httpclient is more sophisticated > than the basic net/http Ruby library. It should support more features > (but I don't remember which ones...). > This also means that it is somewhat slower. Hmm I was just trying out a few things... and noted that regardless of whether or not ruby-httpclient is installed - the communication with Debian server seems to be completely in plain HTTP[0]? :-o That's generally a bit concerning... I mean I haven't looked at the code, but I'd guess listbugs parses some output from the BTS...? Even if that parsing is 100% safe,... an attacker could still do a blocking attack, e.g. by preventing a bug like "don't install newest SSH... it contains a backdoor" to arrive at the user. That said,.. even TLS wouldn't make things much better here, at least if it doesn't require a CA which is fully under the control of Debian (which Debian unfortunately gave up). So even with TLS, there'd be some >100 root CAs in ca-certificates... and several thousands of intermediate CAs, which could possibly do some forgery. Still, do you think it's feasible to add a strict requirement for TLS (perhaps with at least only considering the root CA, that debian uses - which I guess is letsencrypt)? Anyway... I didn't notice any difference at all, whether ruby- httpclient is there. Also I didn't find any obvious references to it in the apt-listbugs sources... so nothing like a "require httpclient" or so - but I don't speak ruby, so there might be some auto-magic, which I just don't know about. Cheers, Chris. [0] I did see some TLS stuff at the time frame, but that went to some servers at cloudflare (with no reverse DNS pointer set, so I kinda guess it's nothing from Debian?)...
