Web lists-archives.com

Re: Recreating history of a package




Hallo,

16.02.19 21:24 Ben Hutchings:
> On Sat, 2019-02-16 at 14:17 +0100, Guillem Jover wrote:
> > On Sat, 2019-02-16 at 12:22:04 +0000, peter green wrote:
> > > 2. Snapshot.debian.org is only offered over plain insecure http. For
> > >    recent versions the packages can be verified against the
> > >    Packages/Sources files which can in turn be verified with gpg but
> > >    older versions are more problematic to verify as the relevant
> > >    packages/sources files are only signed with 1024 bit keys or not
> > >    signed at all. This is made worse by the fact that
> > >    snapshot.debian.org has an API to obtain the first snapshot a
> > >    package is available in but not any API to find the last snapshot
> > >    it was available in.
> > 
> > http://snapshot.debian.org/ is now offered over https too. Its front-page
> > even documents its usage as such. :)
> 
> And it has HSTS, which is nice, but it is missing the redirection
> that's needed to make that work completely.

I guess global HTTP redirects might break older apt setups without apt-
transport-https installed.

For browsers it should be enough to add the redirects for the HTML pages.


Grüße
Timo

Attachment: signature.asc
Description: This is a digitally signed message part.