On Thu, 16 Jul 2015 20:44:14 -0400 Michael Gold wrote: > Package: apt-listbugs > Version: 0.1.16 > Severity: wishlist > Tags: patch security
Hello Michael, first of all: thanks a lot for your bug report and for preparing a patch! :-) > > apt-listbugs uses an unencrypted connection to communicate with the BTS, True. > leaking information about installed packages and versions. Well, more packages than versions, I would say, but anyway I fully acknowledge that some information is leaked. In some scenarios, one would prefer to keep these data undisclosed. [...] > This turns out to be trivial to fix--just replace "http:" with "https:". > The ruby libraries and the BTS already support it. This is good news, I wasn't aware that the Debian BTS SOAP interface was already able to be used through HTTPS! Actually, I admit that I haven't tried to find documentation about this... > The attached patch > tries to do it properly to avoid breaking any local setups that depend > on an unencrypted SOAP connection Thanks again for taking the time to prepare a patch. I'll examine it more carefully later. I assume that you're contributing this patch (copyrighted by you as an individual) under the same terms as apt-listbugs (GNU GPL v2 or later). Please confirm this. > * Change the default URL to use https. > * Add -u / --url / AptListbugs::URL settings to specify a full URL, > including protocol. > * Consider -H and -p deprecated; specifying either will trigger the > old (unencrypted) behaviour. > * Update documentation. I have a few initial comments/questions on your patch (but, once again, I haven't yet taken the time to examine it thoroughly, let alone test it!): • obviously, it would have been simpler to just switch from http to https and add a --disable-ssl option for those who need unencrypted SOAP connections: please elaborate a bit on the rationale behind such a more sophisticated approach (deprecate two options, which still are supported and provide the old behavior, add another option that supports arbitrary URLs); I guess the main reason is that you really value backward compatibility...? • why should the user need to explicitly specify "/cgi-bin/soap.cgi"? after all, it has been automatically added by apt-listbugs so far... the user could just specify --url "https://bugs.debian.org:443"; and the remainder could be added transparently; are there relevant scenarios where that last part of the URL won't be "/cgi-bin/soap.cgi"? or is it just "who knows?" • I would prefer if the online help showed the current value of @soapurl between brackets, rather than its default value: apt-listbugs does so for other options; for instance $ apt-listbugs -P 2222 -h [...] -P <priority> : Pin-Priority value [2222]. [...] Finally, could you please re-base your patch against the current tip of the master branch on the public git repository? I can do that by myself, but spare time has been quite scarce around here lately... ;-) Thank you very much for your time and help! -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpfrZxiQii8y.pgp
Description: PGP signature
