Hello release folks! APT team has prepared two important changes in apt, please give us a decision(s) whether are they appropriate for Lenny or not.
---------------------------------------------------------
Change #1 aka "Valid-Until for preventing replay attacks"
---------------------------------------------------------
Motivation of this change is bug #499897, "preventing replay attacks against
the security
archive" [1]. Summary of change:
1. Add the support for the Valid-Until header in the Release file.
2. Add Acquire::Max-Default-Age configuration option that defaults to 7 days for
Debian-Security.
The result of change: APT will refuse to use too outdated Release file at the
earliest
'update' action after Release expiry. The possible attacker will not allowed to
ship the
same outdated Release (so outdated Packages too) after the date in
'Valid-Until' entry in
Release file, preventing the attack. In case of absence of this field in
Release file,
option "Acquire::Max-Default-Age::Debian-security" will be used. The default
number of
days for this option, "7", is discussible, of course.
--------------------------------------------------------
Change #2 aka "Stop the mess with proxy settings in APT"
--------------------------------------------------------
Motivation: set of bug reports [2][3][4][5][6] saying that proxy settings in
apt is quite
a mess and counter-intuitive. Main fault was treating http_proxy and ftp_proxy
environment
variables as more priority ones than APT's Acquire::{ftp,http}::Proxy[::host]
settings.
Moreover, https proxy setting had a strange bug regarding http_proxy is set or
not, and
some proxy info was discarded at all.
The change unifies proxy settings behavior, removes a mess, and tries to
document new
behavior clearly.
debian/NEWS file contains following entry regarding this change:
-8<-
apt (0.7.21) unstable; urgency=low
* Code that determines which proxy to use was changed. Now
'Acquire::{http,ftp}::Proxy[::<host>]' options have the highest priority,
and '{http,ftp}_proxy' environment variables are used only if options
mentioned above are not specified.
->8-
, that describes change and its consequences. Appropriate documentation updates
for
apt.conf(5) included too.
------------------------
The apt 0.7.21~exp1 that contains these two changes (over 0.7.20), just
uploaded to
experimental.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499897
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=157759
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320174
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365880
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445985
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479617
Regards,
--
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
Ukrainian C++ developer, Debian Maintainer, APT contributor
signature.asc
Description: OpenPGP digital signature
