Hallo, * Michael Stone [Wed, Sep 08 2021, 07:25:26PM]: > On Wed, Sep 08, 2021 at 03:56:14PM +0200, Ansgar wrote: > > On Wed, 2021-09-08 at 15:41 +0200, Helmut Grohne wrote: > > > On Wed, Sep 08, 2021 at 02:01:03PM +0200, Ansgar wrote: > > > > So what do you suggest then? Tech-ctte as with merged-/usr? Or a > > > > GR? Or > > > > something else? > > > > > > I propose that the proponents pay the cost. In this case, it is a bit > > > unclear what that means precisely (which likely is the reason they > > > haven't done it already). At the very least though, apt install > > > auto-apt-proxy should continue to work on a default installation in a > > > sensible way. > > > > I can file a bug for auto-apt-proxy to include an apt.conf snippet > > saying > > > > Acquire::https::Verify-Peer false; > > > > That clearly makes it work again > > I think the issue isn't certificate validation, it's that https proxy > requests are made via CONNECT rather than GET. You could theoretically > rewrite the proxy mechanism to MITM the CONNECT, but that wouldn't be a > drop-in replacement. I suppose you could instead add an apt option to pass > the https request to the proxy via GET instead of using CONNECT, but I think
Precisely. Current handling of HTTPS on a caching proxy is either impossible or PITA for the user, as long as a such mixed behavior is not configurable. apt-cacher-ng works around that by telling users to disguise https URLs as HTTP with a special marker for protocol switch (ugly, I know). Also keep in mind that it off-loads the encryption work to the proxy, but that might be even intentional. > that also won't necessarily work on an existing proxy. Speaking at least for ACNG, my assumption was that it would support that but I was wrong. TODO created, https://salsa.debian.org/blade/apt-cacher-ng/-/issues/11 . > If we're imagining apt options, something like > Acquire::https::Force-Proxy-HTTP true; > would probably be more useful for this specific case (not that I think it's > a great idea--too much potential for surprise). I would make it a list of trusted proxy hosts and a special value ALL. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994032 created. Best regards, Eduard.
