On Fri, 2021-09-10 at 09:33 +0200, Helmut Grohne wrote: > If > we installed auto-apt-proxy by default, much of the local caching > would > just work.
If you push for a local caching method to be used by default, apt should always request (In)Release.gpg from a regular mirror (not auto- discovered local cache), preferably via HTTPS; for subsequent data (which apt can verify via (In)Release) a local mirror can be used, falling back to the regular mirror when the data provided by the local cache is not correct for any reason. Especially at BSPs where people are likely to bootstrap new environments (via debootstrap, for example for building packages) we would allow downgrade attacks otherwise: (In)Release for stable releases has no Valid-Until, so any initial (In)Release file can be substituted by the cache operator for an older one which then refers to known-vulnerable packages. (And I'm not sure debootstrap even checks Valid-Until.) Ansgar
