Bug#792639: http://bugs.debian.org sets HSTS, therefore SSL is mandatory

[Trent W. Buck]

Early discussion on this bug is "do we even want SSL?".
Please note this is now moot, as bugs.debian.org enforces SSL:

    $ wget http://bugs.debian.org/test

    $ grep bugs.debian.org ~/.wget-hsts
    bugs.debian.org 0       0       1617696160      15552000

    $ wget http://bugs.debian.org/test
    URL transformed to HTTPS due to an HSTS policy


Background reading:

    https://en.wikipedia.org/wiki/HSTS


Boring context (you can ignore this):

   1. apt-listbugs SOMETIMES breaks unattended-upgrades for me (about 60% of 
the time), with this config:

        Acquire::http::Proxy "http://apt-cacher-ng.cyber.com.au:3142";;
        Acquire::https::Proxy "DIRECT";

   2. The error is not always the same:

        4 times:  E: HTTPClient::KeepAliveDisconnected:
        3 times:  E: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3/TLS 
write client hello
        4 times:  E: SSL_connect returned=1 errno=0 state=error: wrong version 
number

      Is ruby's HTTP/1 client continuing to use the (HTTP-only) proxy after
      http://deb.debian.org redirects to
      https://deb.debian.org?

      UPDATE: apt-listbugs/0.1.35 ignores Acquire::https::Proxy entirely, which 
sounds wrong:

        
https://salsa.debian.org/frx-guest/apt-listbugs/-/blob/master/lib/aptlistbugs/logic.rb#L268

   3. The documented workaround sounds silly, because I already set a blanket 
DIRECT for https:

        
https://salsa.debian.org/frx-guest/apt-listbugs/-/blob/master/FAQ.md#how-can-i-use-apt-listbugs-with-apt-cacherapt-cacher-ng-proxies

      UPDATE: since Acquire::https::Proxy is ignored, I guess I have to do 
this.  Blech.

   4. Since bugs.debian.org already forces TLS (due to HSTS),
      surely I just change the URL from http:// to https://?

      I don't see an equivalent of Acquire::Changelogs::URI in "apt-config 
dump":

          lib/aptlistbugs/logic.rb:    if /sev_list='(.*)'/ =~ `apt-config 
#{@apt_conf} shell sev_list AptListbugs::Severities`
          lib/aptlistbugs/logic.rb:    if /qb='(.*)'/ =~ `apt-config 
#{@apt_conf} shell qb AptListbugs::QueryStep`
          lib/aptlistbugs/logic.rb:    if /qb='(.*)'/ =~ `apt-config 
#{@apt_conf} shell qb AptListbugs::ParseStep`
          lib/aptlistbugs/logic.rb:    if /http_proxy='(.*)'/ =~ `apt-config 
#{@apt_conf} shell http_proxy acquire::http::proxy`
          lib/aptlistbugs/logic.rb:    if /proxy_detect='(.*)'/ =~ `apt-config 
#{@apt_conf} shell proxy_detect acquire::http::proxy-auto-detect`
          lib/aptlistbugs/logic.rb:    if /http_proxy='(.*)'/ =~ `apt-config 
#{@apt_conf} shell http_proxy acquire::http::proxy::bugs.debian.org`
          lib/aptlistbugs/logic.rb:    if /ignore_regexp='(.*)'/ =~ `apt-config 
#{@apt_conf} shell ignore_regexp AptListbugs::IgnoreRegexp`

      Looks like it's not even starting from a URL, but rather a hostname and a 
port number:

          
https://salsa.debian.org/frx-guest/apt-listbugs/-/blob/master/lib/aptlistbugs/logic.rb#L95

   5. I found this bug where people are bikeshedding the moral hazards of 
condoning SSL.
      I get annoyed.