Ubuntu Wiki

• Launchpad entry: https://launchpad.net/distros/ubuntu/+spec/apt-https

• Contributors: ThomMay, MichaelVogt

• Packages affected: apt

Summary

Enable APT to access repositories made available via https

Rationale

HTTPS provides both authentication and security advantages to APT. Allowing remote clients to positively verify that they are connecting to the correct archive is not so important now that we have APT-secure, but providing certificate based authentication and also enabling encryption of proprietary packages for company repositories are large wins.

Use Cases

• Acme, Inc wish to roll out a worldwide server network. They wish to provide proprietary packages to those servers and wish to ensure that no attacker can gain access to the package repository. Thus, they wish to protect the packages in transit via SSL and also authenticate to the servers using client certs.

Design

Apt makes it relatively straightforward to add new methods. We will create a https method based on libcurl-gnutls that will support https.

Implementation

Currently APT implements its own http and ftp transports. Rather than write our own https transport, it is felt that the best approach is to use libcurl. This could then replace the ftp and http transports as well at a later date.

Some prototype work was done in: http://people.ubuntu.com/~mvo/bzr/apt/curl/

Legal Issues

APT is licensed under GPL. libcurl can be used with both OpenSSL and GnuTLS. In case of OpenSSL a special exemption clause would be required for making it possible to link with both libapt-pkg and OpenSSL. We will try to get a written permission to do this from the previous apt copyright holders. Until we have that, we will use gnutls.

Discussion

MikhailSobolev: I don't know what is the correct procedure here.

MikhailSobolev: APT is licensed under GPL. It makes it impossible to use both libapt-pkg and OpenSSL at the same time (Please correct me if I'm wrong here). Even if cURL is chosen, it seems to be questionable to create APT methods that would link to cURL that uses OpenSSL for https protocol. How you are going to mitigate the issue (if it exists, of course :))?

ThomMay: libcurl3-gnutls provides libcurl linked with GNUTLS.

MikhailSobolev: yes, GnuTLS is an option. However cURL supports both GnuTLS and OpenSSL and there's no particular reason to limit apt methods to support only GnuTLS. Or is there?

MikhailSobolev: to make it more practical, http://nokia.com/770 is actively using OpenSSL and having GnuTLS for apt while using OpenSSL in all other places creates certain challenges:

• footprint

• more components for legal check (yes, it's Nokia specific, but still...) ==> slower development, bigger risks

Option of moving to GnuTLS is not currently considered.