Package: libruby1.8
Followup-For: Bug #396304
I think this bug is still related to apt-listbugs.
The soap_use_proxy variable is an interface of a library used internally.
apt-listbugs does not _have_to_ expose this interface to the user.
apt-listbugs even sets or deletes this variable in some cases depending on
the settings in apt.conf. This behaviour is inconsistent.
IMHO apt-listbugs should behave like other APT tools.
The manpage of apt.conf states
http
HTTP URIs; http::Proxy is the default http proxy to use. It is in
the standard form of http://[[user][:[EMAIL PROTECTED]:port]/. Per
host
proxies can also be specified by using the form http::Proxy::<host>
with the special keyword DIRECT meaning to use no proxies. The
http_proxy environment variable will override all settings.
So it's expected behaviour that variable http_proxy will be used without
any questions or complaints from the programs.
I'm aware of two possible security risks: The first is the use of
user:password in the proxy URL. This is no problem if http_proxy does not
contain a password. The second is the risk to unexpectedly override the
settings from apt.conf with an untrusted proxy. I think this should be
solved by a common solution for all apt related programs. Using a wrong
proxy to list bug reports is a small problem compared to using this proxy
to download packages.
Please point me to an explanation if there is another security risk.
Maybe we need a setting in apt.conf that tells APT to ignore http_proxy
and use the settings from apt.conf only. This should apply to apt-listbugs
as well. (like wget's --no-proxy option)
I have the proxy setting in apt.conf, so aptitude and apt-listbugs work
as expected if I dont have http_proxy set.
But there are other programs that need the http_proxy environment variable.
When I set this variable (in my case to the same proxy as in apt.conf)
aptitude and apt-listchanges still work but apt-listbugs complains about
the missing soap_use_proxy variable.
If you like the idea of the soap_use_proxy variable, I propose to use
a setting in apt.conf or a variable specific to apt-listbugs, to select
from these possibilities:
- use http_proxy (and set soap_use_proxy internally)
- complain if http_proxy is set
- complain if http_proxy is set and differs from the apt.conf setting
(else set soap_use_proxy internally)
- ignore http_proxy and use the setting from apt.conf (and set or remove
http_proxy and soap_use_proxy internally as required)
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (900, 'testing'), (300, 'unstable'), (10, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages libruby1.8 depends on:
ii libc6 2.3.6.ds1-7 GNU C Library: Shared libraries
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii zlib1g 1:1.2.3-13 compression library - runtime
libruby1.8 recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
