Opened 9 years ago

Closed 9 years ago

#2090 closed defect (worksforme)

APT repository broken by website relaunch

Reported by: cypherpunks Owned by: erinn
Priority: Very High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: APT repository deb redesign relaunch
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The APT repositories which used to be available at
http://deb.torproject.org/torproject.org/
no longer work.

http://deb.torproject.org/torproject.org/dists/lenny/main/binary-amd64/Packages.gz
is a HTTP 302 (temporary) redirect to
https://www.torproject.org/torproject.org/dists/lenny/main/binary-amd64/Packages.gz
which returns a HTTP 404 File not found error.

I assume this behaviour is related to your website redesign, combined with a newly added overbroad Apache Redirect statement which applies to all virtual hosts in an attempt to safeguard your users by switching to an encrypted connection. The issue here, however, is that there is just a single HTTPS VirtualHost.

You might want to either keep the deb.torproject.org site available by plain HTTP (possibly allowing for disclosure of users' slightly sensitive information), setup multiple SSL sites on different IP addresses, use a single SSL certificate for multiple hostnames by (ab)use of SubjectAltName's or consider switching to TLS 1.1 and Server Name Indication (which will lock Internet Exploiter on Windoze XP out). Or just find an even better option than I could think of.

Child Tickets

Change History (2)

comment:1 Changed 9 years ago by Sebastian

I am unaware of any such redirecting going on, and in fact were just able to fetch http://deb.torproject.org/torproject.org/dists/lenny/main/binary-amd64/Packages.gz without issue. Are you sure you're not running httpseverywhere or something which might be ruining your day here?

comment:2 Changed 9 years ago by Sebastian

Resolution: worksforme
Status: newclosed

Hrm, so in talking with the reporter on irc there were two problems: The first one is that no maverick packages exist yet, so apt-get update showed a 404, which doesn't help to solve this.

The other thing is that I can't reproduce the described redirect for any of the IPs that make up deb.torproject.org's rotation. The only thing I'm able to reproduce is that we forward http://torproject.org/dists/lenny/main/binary-amd64/Packages.gz to https://www.torproject.org/torproject.org/dists/lenny/main/binary-amd64/Packages.gz , which we may or may not want. The reporter is very confident to have used the deb.tpo url however, so I'm not sure what's going on here. I'm going to close this as worksforme, please reopen if you can reproduce this again (and report which server you were using, please)

Note: See TracTickets for help on using tickets.