Re: HTTPS metadata in Mirrors.masterlist?
On Tue, Feb 11, 2014 at 01:04:29PM +0000, Colin Watson wrote:
> I'm working on adding HTTPS support to d-i. Now, I know that we already
> have integrity by way of the GPG signature chain, but this isn't for
> that; this is in response to feedback Canonical has had from some Ubuntu
> customers (typically of the large and corporate variety) that they want
> to do all of their apt traffic over HTTPS to avoid people snooping on
> which packages various machines are installing. We already have some
> minimal support for this by way of Joey's change in debootstrap 1.0.56:
>
> * When deboostrapping Debian, and the debian-archive-keyring is not
> available, switch the default mirror to a https url. This way at
> least the CA level of security is available even for users who
> have no way to check gpg keys in the WoT. The https mirror is
> currently https://mirrors.kernel.org/debian.
>
> Now, the next thing on my list to work on is choose-mirror: you should
> be able to pass mirror/protocol=https and have it offer you HTTPS
> mirrors if it knows about any, and otherwise just ask you to enter
> mirror information manually. I suspect that in reality most users of
> this feature would have an internal mirror, but it would be good to
> offer public mirrors where we know about them too.
>
> Would it be possible, then, to add "Archive-https: /debian/" to the
> "Site: mirrors.kernel.org" stanza in Mirrors.masterlist, and perhaps
> start maintaining Archive-https fields for other mirrors willing to
> participate? That would at least get a minimal list started for this
> mode.
>
> (And yes, I know that this is only of any actual use if we do
> certificate checks. Right now the way I have things hooked up is that
> you can add certificates to the d-i initramfs, either by rebuilding with
> SSL_CERTS set in build/config/local or by concatenating another
> initramfs-format archive of c_rehash-ed certificates unpacking to
> /usr/lib/ssl/certs; or else debian-installer/allow_unauthenticated=false
> will imply no certificate checking. You have to supply GNU wget anyway,
> since busybox wget doesn't speak HTTPS. If more people than I suspect
> want to use this then we might want to consider something with
> ca-certificates, but I felt that was overkill for now and it certainly
> involved more thinking about policy than I wanted to do.)
I managed to typo debian-mirrors@lists.debian.org as
debian-mirrors@lists.kernel.org, bafflingly. Following up with full
quoting so that both lists have it ...
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: