Re: HTTPS metadata in Mirrors.masterlist?

To: debian-mirrors@lists.debian.org, debian-boot@lists.debian.org
Subject: Re: HTTPS metadata in Mirrors.masterlist?
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 11 Feb 2014 13:45:53 +0000
Message-id: <[🔎] 20140211134553.GA20550@riva.ucam.org>
Mail-followup-to: debian-mirrors@lists.debian.org, debian-boot@lists.debian.org
In-reply-to: <20140211130429.GA18442@riva.ucam.org>
References: <20140211130429.GA18442@riva.ucam.org>

On Tue, Feb 11, 2014 at 01:04:29PM +0000, Colin Watson wrote:
> I'm working on adding HTTPS support to d-i.  Now, I know that we already
> have integrity by way of the GPG signature chain, but this isn't for
> that; this is in response to feedback Canonical has had from some Ubuntu
> customers (typically of the large and corporate variety) that they want
> to do all of their apt traffic over HTTPS to avoid people snooping on
> which packages various machines are installing.  We already have some
> minimal support for this by way of Joey's change in debootstrap 1.0.56:
> 
>   * When deboostrapping Debian, and the debian-archive-keyring is not
>     available, switch the default mirror to a https url. This way at
>     least the CA level of security is available even for users who
>     have no way to check gpg keys in the WoT. The https mirror is
>     currently https://mirrors.kernel.org/debian.
> 
> Now, the next thing on my list to work on is choose-mirror: you should
> be able to pass mirror/protocol=https and have it offer you HTTPS
> mirrors if it knows about any, and otherwise just ask you to enter
> mirror information manually.  I suspect that in reality most users of
> this feature would have an internal mirror, but it would be good to
> offer public mirrors where we know about them too.
> 
> Would it be possible, then, to add "Archive-https: /debian/" to the
> "Site: mirrors.kernel.org" stanza in Mirrors.masterlist, and perhaps
> start maintaining Archive-https fields for other mirrors willing to
> participate?  That would at least get a minimal list started for this
> mode.
> 
> (And yes, I know that this is only of any actual use if we do
> certificate checks.  Right now the way I have things hooked up is that
> you can add certificates to the d-i initramfs, either by rebuilding with
> SSL_CERTS set in build/config/local or by concatenating another
> initramfs-format archive of c_rehash-ed certificates unpacking to
> /usr/lib/ssl/certs; or else debian-installer/allow_unauthenticated=false
> will imply no certificate checking.  You have to supply GNU wget anyway,
> since busybox wget doesn't speak HTTPS.  If more people than I suspect
> want to use this then we might want to consider something with
> ca-certificates, but I felt that was overkill for now and it certainly
> involved more thinking about policy than I wanted to do.)

I managed to typo debian-mirrors@lists.debian.org as
debian-mirrors@lists.kernel.org, bafflingly.  Following up with full
quoting so that both lists have it ...

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Mattias Wadenstein <maswan@acc.umu.se>
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Joerg Jaspert <joerg@debian.org>

Prev by Date: Re: Could not resolve 'ftp.br.debian.org'
Next by Date: Re: HTTPS metadata in Mirrors.masterlist?
Previous by thread: Re: Could not resolve 'ftp.br.debian.org'
Next by thread: Re: HTTPS metadata in Mirrors.masterlist?
Index(es):
- Date
- Thread