Bug#733179: debootstrap should abort if the keyring is missing, not just warn

[Guillem Jover <guillem@debian.org>]

Hi Joey!

On Thu, 2013-12-26 at 22:21:52 -0400, Joey Hess wrote:
> I actually think it would be more of a win to change the default mirror
> url from the current http://ftp.us.debian.org/ to a https url. This
> provides weak (CA) verification on systems without the Debian keyring,
> which is considerably better than nothing.
> 
> A good candiate for such a mirror is https://mirrors.kernel.org/debian,
> although it's not currently in the {ftp,http}.us.debian.org rotation for
> some reason, and lacks IPv6. (None of the {ftp,http}.us.debian.org
> mirrors currently support https.) Due to those limitations, and to avoid
> overloading it, I've modified debootstrap to default to the https mirror only
> when the gpg keyring is not available.

I see this in the latest debootstrap upload:

,---
  [ Joey Hess ]
  * When deboostrapping Debian, and the debian-archive-keyring is not
    available, switch the default mirror to a https url. This way at
    least the CA level of security is available even for users who
    have no way to check gpg keys in the WoT. The https mirror is
    currently https://mirrors.kernel.org/debian.
  * Avoid writing https urls into sources.list, as apt does not support https.
`---

Although apt should support https if one has apt-transport-https
installed. You might already know that or you might still not want to
use https URIs on the target system, just dropping a note here in case
you didn't know about this.

Thanks,
Guillem