On Thursday 13 February 2014 22:07:37 David Kalnischkies wrote: > On Thu, Feb 13, 2014 at 07:52:38PM +0100, Julien Cristau wrote: > > On Thu, Feb 13, 2014 at 10:27:47 +0100, Raphael Geissert wrote: > > > On 13 February 2014 00:26, Julien Cristau <jcris...@debian.org> > > > wrote: [...] > > > > // Do not allow a redirection to switch protocol > > > > - if (tmpURI.Access == "http") [...] > > > > return TRY_AGAIN_OR_REDIRECT; [...] > > > Yes, that's intentional as you should really not switch between > > > protocols. > > > > I'm afraid I don't understand where this comes from. I don't think > > redirecting from http to https is all that unreasonable? > > It isn't unreasonable by itself, but less than 1% of popcon users > have the https client installed, so it will usually not work. > (and as Raphael mentioned it was not possible at all until not too > long, so this check is also a 'lets not change too much in one go') > > I am working on it now that the code can switch the protocol (at least > from http to https, but not to other protocols).[...]
First issue is that allowing any protocol switch would basically introduce a vulnerability in the system. There are too many apt methods and they could be reached by redirecting http://foo/request to $method://... Any protocol switch should also be backed by a policy decision, IMO. > Anyway: As said, basically nobody has the https method installed, so we > either have to force it on everyone or we need the service to continue > to provide the changelog over http for apts http client. I'd rather see aptitude call curl(1) to fetch it and just add a Recommends, or even just a Suggests. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
