Comment 6 for bug 996151

Wow, I'm really surprised you guys have decided to turn pipe-lining off. That is crazy. Pipelining has been in APT since day one (ie since 1997, wow!), and I personally worked with a number of web server developers to make sure their severs worked properly, according to the RFC.

Squid has *always* had varying levels of breakage when working with pipelining, but I also extensively tested APT's HTTP method with squid and ensured it worked for many years. It looks to me like someone must have tried to 'improve' things in squid (probably tried to support HTTP/1.1 keep-alive) and broke it even more..

The thought that pipe lining is inherently broken is ridiculous. The behaviour of requesters, proxies and completer's is very well defined, and if you follow the damn spec you don't create any problems, security, correctness, or otherwise.

And yes, it makes an huge, obvious, night and day difference:

$ time sudo apt-get update -o Acquire::http::Pipeline-Depth=10
real 0m9.090s
$ time sudo apt-get update -o Acquire::http::Pipeline-Depth=0
real 0m19.700s

A much better suggestion would be to detect a proxy during install (most proxies add headers to their reply) and drop a pipeline depth config into /etc/apt/apt.conf.d/ ... Or perhaps not pipeline the first request and look for a proxy in the reply, then turn it on.

It is completely mind blowing that squid has been broken since 1997, even to the extent that the breakage created a whole new class of proxy vulnerabilities (request smuggling) and nobody has fixed it, or even really cared to notice..