On Tue, Oct 13, 2009 at 11:06:22PM +0200, David Kalnischkies wrote: > While it is now commited and this message will maybe redirected to /dev/null > i just want to express that i am unhappy with this patch: > First of all: It has no documentation - this is unfortunately also true for > many other apt features, so this is maybe not a real no-go, > but also the manpage for the netrc file doesn't even suggest the usage of > this file for https -- for me it looks like it should be used only for > "user configuration for ftp" (man 5 netrc). > So if this file is really used for https in realworld someone should patch > the manpage - otherwise this new "feature" seems more like an ugly hack... > (and the last think we need is yet another hack in apt i guess) > > On the other hand, apt already includes a way for client authentication > (i think) since 0.7.15~exp1 using certificates. > See the very short man 5 apt.conf description and the (in my eyes) more > useful descriptions in the beloved config-example: > /usr/share/doc/apt/examples/apt-https-method-example.conf.gz > Options: Acquire::https[::repo.domain.tld]::{CaInfo,SslCert,SslKey} > (This is btw one of the under-documented features - > feel free to provide patches for this one as well) > > So i am also not really sure if this feature is needed at all -- > or only for the very limited usecases the submitter described original... >
Note that the criticality of this bug is related to the fact the normal http version leaks the passwords to the build logs, and this patch is a solution for that. If it can be fixed another way, this bug can be downgraded back to wishlist. -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org