Package: apt
Hi,
in order to transparently overwrite deb.debian.org in our own network,
we can overwrite the SRV records for http on the internal resolvers, i.e.:
_http._tcp.deb.debian.org. IN SRV 10 1 80 mirror.example.org.
however, in the case of HTTPS using _https.tcp.deb.debina.org this
doesn't work as we'll be having a certificate mismatch
(mirror.example.org cannot have a valid deb.debian.org certificate).
it would be nice, if apt would not just replace the IP of the
deb.debian.org request with the IP of mirror.example.org, but instead
treat it more like a 301: the request to deb.debian.org should be done
as a request to the hostname provided (aka mirror.example.org).
this would allow local network administrators to transparently redirect
traffic to the internal mirror in cases, where it's unrealistic to have
control/influence the clients otherwise (in our case, large university
network with all BYD devices).
I don't think this is a privacy/security issue if apt would implement
this, as you have to trust your local network administrator anyway (they
could use transparent proxies instead and still "inject" .deb files
without the user noticing it) and can't enforce client side where the
.debs are downloaded from.
As a user, you can be still sure that what you're getting is valid, as
all the security measures of apt-secure (gpg validation, indices
expiration, etc.) are untouched by that and will prevent any tampering.
or in other words: please support making local mirroring using
deb.debian.org possible with https.
Regards,
Daniel
