Pardon the interuption, as I just stumbled on this bug. I was interested in implementing https as well. I have a few questions and comments on this issue:
1) SSL is useless w/o certificate verification. This isn't necassarily true. In the scenario where you have an internal apt server to your organization, and you wish to use user/pass authentication, SSL becomes very critical, and cert verification is not as important, as you are on an internal network. CA available for a private organization to verify their own internal certs? ie, I trust myself, therefore I trust the certs I run on my own internal systems. A simple configuration option to apt.conf would take care of all scenarios w/ https. If you had an option to "Verify Cert=Yes/No", you can give system administrators a wide range of flexibility. Individuals on an internal network can continue w/o error, but ppl hitting public https servers could be warned (apt stops/continues ?) of an unverified cert. 2) HTTPS never be accepted b/c of OpenSSL needing to be in main How is OpenSSL (BSD style license) effected by the crypto in main migration? Matt Pavlovich -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
