Bug#987745: apt-listbugs: please clarify, what ruby-httpclient is needed/used for

2021-05-02 Thread Francesco Poli 
On Sat, 01 May 2021 19:41:24 +0200 Christoph Anton Mitterer wrote:

[...]
> Could you perhaps ask the previous maintainer why he originally made a
> Depends on it?

I really doubt he can remember, after some 15 years...

I took a look at the git repository log, to see whether I could spot
an explanation in the commit messages, but I failed to find anything
about this.
Maybe I should use git-bisect to pinpoint the exact commit that
introduced the dependency...
But this would not necessarily be useful: the original reason for
adding the dependency could be obsolete today (maybe the needed feature
is now also implemented in the Ruby net/http library... but other
httpclient features could still be missing from the net/http library!). 

> 
> Other than that, it might still be a possibility to actually demote the
> dependency (perhaps just in unstable), and wait for people to report
> when they run into problems (it shouldn't be anything that wouldn't be
> noticed immediately, the only thing that would be kinda "hidden" was
> TLS/no-TLS, but that's anyway not a point... so if it's something like
> proxy, you'd get rather soon a ticket).
[...]

Well, I am a bit hesitant to break people's systems, just to see what
it breaks!

If I did so in unstable, I would do Debian users a disservice.
If I did so in experimental, the risk would be that too few users would
test the package.

Not easy.


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpd5syeK5BpC.pgp
Description: PGP signature

Bug#987745: apt-listbugs: please clarify, what ruby-httpclient is needed/used for

2021-05-01 Thread Christoph Anton Mitterer 
On Sat, 2021-05-01 at 19:35 +0200, Francesco Poli wrote:
> Before I can demote it to a suggestion, I need to be sure that no use
> case is harmed.
> There are a plethora of special situations (such as the strangest
> proxy
> setups, and so forth...), hence it's not easy to be sure...
> 
Could you perhaps ask the previous maintainer why he originally made a
Depends on it?

Other than that, it might still be a possibility to actually demote the
dependency (perhaps just in unstable), and wait for people to report
when they run into problems (it shouldn't be anything that wouldn't be
noticed immediately, the only thing that would be kinda "hidden" was
TLS/no-TLS, but that's anyway not a point... so if it's something like
proxy, you'd get rather soon a ticket).

Otherwise we'd probably find out never. :D


> I hope you can live with the current state of affairs (ruby-
> httpclient
> as a recommendation).

Sure... it's all just about (more or less cosmetic) improvements


Thanks,
Chris.

Bug#987745: apt-listbugs: please clarify, what ruby-httpclient is needed/used for

2021-04-30 Thread Christoph Anton Mitterer 
On Sat, 2021-05-01 at 00:06 +0200, Francesco Poli wrote:
> [#792639]: 

Ah I even made some comments to that in the very beginning...
completely forgot about it.




> Since it's only a recommendation (and not a strong dependency), you
> can
> remove or purge it, while keeping apt-listbugs installed.
> 
> 
> If you have no objections, I will close this bug report.

Sure,...feel free to close.

But, if we cannot even name what it does (and AFAICS it doesn't really
change anything, except how things are handled under the hood?),... it
may make sense to further demote the dependency to Suggests... or
perhaps even drop it?


Cheers,
Chris.

Bug#987745: apt-listbugs: please clarify, what ruby-httpclient is needed/used for

2021-04-30 Thread Francesco Poli 
On Fri, 30 Apr 2021 21:59:42 +0200 Christoph Anton Mitterer wrote:

> On Thu, 2021-04-29 at 18:31 +0200, Francesco Poli wrote:
[...]
> > I am under the impression that ruby-httpclient is more sophisticated
> > than the basic net/http Ruby library. It should support more features
> > (but I don't remember which ones...).
> > This also means that it is somewhat slower.
> 
> Hmm I was just trying out a few things... and noted that regardless of
> whether or not ruby-httpclient is installed - the communication with
> Debian server seems to be completely in plain HTTP[0]? :-o
[...]

That's an old, long and complicated story.
If you are looking for a way to kill some time, please read bug
[#792639] and the other two which are merged with it.

[#792639]: 

I agree that using HTTPS would not solve all security issues, but it would a 
step forward...

[...]
> Anyway... I didn't notice any difference at all, whether ruby-
> httpclient is there.
> Also I didn't find any obvious references to it in the apt-listbugs
> sources... so nothing like a "require httpclient" or so - but I don't
> speak ruby, so there might be some auto-magic, which I just don't know
> about.

The auto-magic is behind the scenes (if I recall correctly, it's the
ruby-soap4r library that automatically uses ruby-httpclient, if
present, otherwise falling back to net/http).

Anyway, if ruby-httpclient is superfluous for your use case, you should
be able to do without it.
Since it's only a recommendation (and not a strong dependency), you can
remove or purge it, while keeping apt-listbugs installed.


If you have no objections, I will close this bug report.

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpoxtGDGNhmF.pgp
Description: PGP signature

Bug#987745: apt-listbugs: please clarify, what ruby-httpclient is needed/used for

2021-04-30 Thread Christoph Anton Mitterer 
On Thu, 2021-04-29 at 18:31 +0200, Francesco Poli wrote:
> But the fact is: I am not sure.
> 
;-)


> I am under the impression that ruby-httpclient is more sophisticated
> than the basic net/http Ruby library. It should support more features
> (but I don't remember which ones...).
> This also means that it is somewhat slower.

Hmm I was just trying out a few things... and noted that regardless of
whether or not ruby-httpclient is installed - the communication with
Debian server seems to be completely in plain HTTP[0]? :-o


That's generally a bit concerning... I mean I haven't looked at the
code, but I'd guess listbugs parses some output from the BTS...?

Even if that parsing is 100% safe,... an attacker could still do a
blocking attack, e.g. by preventing a bug like "don't install newest
SSH... it contains a backdoor" to arrive at the user.


That said,.. even TLS wouldn't make things much better here, at least
if it doesn't require a CA which is fully under the control of Debian
(which Debian unfortunately gave up).
So even with TLS, there'd be some >100 root CAs in ca-certificates...
and several thousands of intermediate CAs, which could possibly do some
forgery.
Still, do you think it's feasible to add a strict requirement for TLS
(perhaps with at least only considering the root CA, that debian uses -
which I guess is letsencrypt)?



Anyway... I didn't notice any difference at all, whether ruby-
httpclient is there.
Also I didn't find any obvious references to it in the apt-listbugs
sources... so nothing like a "require httpclient" or so - but I don't
speak ruby, so there might be some auto-magic, which I just don't know
about.


Cheers,
Chris.



[0] I did see some TLS stuff at the time frame, but that went to some
servers at cloudflare (with no reverse DNS pointer set, so I kinda
guess it's nothing from Debian?)...

Bug#987745: apt-listbugs: please clarify, what ruby-httpclient is needed/used for

2021-04-29 Thread Francesco Poli 
Control: tags -1 + moreinfo


On Thu, 29 Apr 2021 00:12:13 +0200 Christoph Anton Mitterer wrote:

[...]
> Hi.

Hello!
Thanks for your interest in apt-listbugs.

> 
> It would be nice if the package's description could tell what ruby-httpclient
> is needed/used for, so that people can decide, whether they want it or not.

Yes, it would be nice.
But the fact is: I am not sure.

When I adopted the package, back in 2009 (wow! time flies...), the
package had a strong dependency on ruby-httpclient.
Then I found out that it is not strictly required, although it is used,
when present.
Hence I downgraded the dependency to a recommendation.

I am under the impression that ruby-httpclient is more sophisticated
than the basic net/http Ruby library. It should support more features
(but I don't remember which ones...).
This also means that it is somewhat slower.


What is your experience?
Have you tested apt-listbugs with and without ruby-httpclient?
Is there any feature that seems to be missing for you, when not using
(or using) ruby-httpclient?


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp4ODLCydgLe.pgp
Description: PGP signature

Bug#987745: apt-listbugs: please clarify, what ruby-httpclient is needed/used for

2021-04-28 Thread Christoph Anton Mitterer 
Package: apt-listbugs
Version: 0.1.35
Severity: wishlist



Hi.

It would be nice if the package's description could tell what ruby-httpclient
is needed/used for, so that people can decide, whether they want it or not.

Thanks,
Chris.