Launchpad entry: https://launchpad.net/distros/ubuntu/+spec/apt-https
Packages affected: apt
Enable APT to access repositories made available via https
HTTPS provides both authentication and security advantages to APT. Allowing remote clients to positively verify that they are connecting to the correct archive is not so important now that we have APT-secure, but providing certificate based authentication and also enabling encryption of proprietary packages for company repositories are large wins.
- Acme, Inc wish to roll out a worldwide server network. They wish to provide proprietary packages to those servers and wish to ensure that no attacker can gain access to the package repository. Thus, they wish to protect the packages in transit via SSL and also authenticate to the servers using client certs.
Apt makes it relatively straightforward to add new methods. We will create a https method based on libcurl-gnutls that will support https.
Currently APT implements its own http and ftp transports. Rather than write our own https transport, it is felt that the best approach is to use libcurl. This could then replace the ftp and http transports as well at a later date.
Some prototype work was done in: http://people.ubuntu.com/~mvo/bzr/apt/curl/
APT is licensed under GPL. libcurl can be used with both OpenSSL and GnuTLS. In case of OpenSSL a special exemption clause would be required for making it possible to link with both libapt-pkg and OpenSSL. We will try to get a written permission to do this from the previous apt copyright holders. Until we have that, we will use gnutls.
MikhailSobolev: I don't know what is the correct procedure here.
MikhailSobolev: APT is licensed under GPL. It makes it impossible to use both libapt-pkg and OpenSSL at the same time (Please correct me if I'm wrong here). Even if cURL is chosen, it seems to be questionable to create APT methods that would link to cURL that uses OpenSSL for https protocol. How you are going to mitigate the issue (if it exists, of course :))?
ThomMay: libcurl3-gnutls provides libcurl linked with GNUTLS.
MikhailSobolev: yes, GnuTLS is an option. However cURL supports both GnuTLS and OpenSSL and there's no particular reason to limit apt methods to support only GnuTLS. Or is there?
more components for legal check (yes, it's Nokia specific, but still...) ==> slower development, bigger risks
Option of moving to GnuTLS is not currently considered.