On Tue, Oct 13, 2009 at 11:06:22PM +0200, David Kalnischkies wrote:
> While it is now commited and this message will maybe redirected to /dev/null
> i just want to express that i am unhappy with this patch:
> First of all: It has no documentation - this is unfortunately also true for
> many other apt features, so this is maybe not a real no-go,
> but also the manpage for the netrc file doesn't even suggest the usage of
> this file for https -- for me it looks like it should be used only for
> "user configuration for ftp" (man 5 netrc).
> So if this file is really used for https in realworld someone should patch
> the manpage - otherwise this new "feature" seems more like an ugly hack...
> (and the last think we need is yet another hack in apt i guess)
>
> On the other hand, apt already includes a way for client authentication
> (i think) since 0.7.15~exp1 using certificates.
> See the very short man 5 apt.conf description and the (in my eyes) more
> useful descriptions in the beloved config-example:
> /usr/share/doc/apt/examples/apt-https-method-example.conf.gz
> Options: Acquire::https[::repo.domain.tld]::{CaInfo,SslCert,SslKey}
> (This is btw one of the under-documented features -
> feel free to provide patches for this one as well)
>
> So i am also not really sure if this feature is needed at all --
> or only for the very limited usecases the submitter described original...
>
Note that the criticality of this bug is related to the fact the normal
http version leaks the passwords to the build logs, and this patch is a
solution for that. If it can be fixed another way, this bug can be
downgraded back to wishlist.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurel...@aurel32.net http://www.aurel32.net
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
