:: Re: [DNG] SSL certificate or host m…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Olaf Meeuwissen
Date:  
À: crichmon
CC: 'dng'
Sujet: Re: [DNG] SSL certificate or host mapping for ASCII updates for APT
Hi Chris,

crichmon@??? writes:

> On 2021-04-08 15:32, Joril wrote:
>> On 08/04/21 16:40, crichmon@??? wrote:
>> > I'm trying to 'apt update' an ascii box, and the repos in the
>> > aptsource list point here:
>> >
>> > deb http://us.deb.devuan.org/merged ascii main non-free contrib
>>
>> I think that "country mirrors" are deprecated, try using just
>> deb.devuan.org
>
> Actually, I did already try that after reading the docs on the web again,
> and get the same problems using the same debugging tools.
> Sparing the details.
> /tmp# host deb.devuan.org
> deb.devuan.org is an alias for deb.roundr.devuan.org.
> <several IP's listed>
> Trying to browse http://deb.devuan.org/ still fails.


The package repositories aren't really meant for browser-based perusal
but http://deb.devuan.org/ displays fine, as in an Apache/2.4 directory
listing, for me. That may be because I chanced upon an IP address that
supports that but if you *really* have SSL certificate issues, I guess
your browser is *forcing* HTTPS upon you. Regular HTTP URLs don't use
certificates.

# You might want to make sure you add that http:// at the beginning of
# that URL in your browser's location bar.

> What I hadn't tried was 'apt update', which I'm doing now after
> updating sources.list, and it is working, so apt doesn't exactly have
> the same cert issues.


That's because APT uses HTTP, not HTTPS, per your URL.
APT downloads a signed InRelease file and checks that using GnuPG keys
from the devuan-keyring package. If that checks out fine, the checksums
in that file are used to verify the Packages and Sources files which, in
turn contain checksums for the individual packages that are verified
before `apt` goes ahead and install things.

That is to say, APT doesn't rely on SSL certificates but on GnuPG keys
to make sure you get exactly what the package maintainers intended.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join