HTTPS metadata in Mirrors.masterlist?

To: debian-mirrors@lists.kernel.org
Cc: debian-boot@lists.debian.org
Subject: HTTPS metadata in Mirrors.masterlist?
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 11 Feb 2014 13:04:29 +0000
Message-id: <[🔎] 20140211130429.GA18442@riva.ucam.org>
Mail-followup-to: debian-mirrors@lists.kernel.org, debian-boot@lists.debian.org

Hi,

I'm working on adding HTTPS support to d-i.  Now, I know that we already
have integrity by way of the GPG signature chain, but this isn't for
that; this is in response to feedback Canonical has had from some Ubuntu
customers (typically of the large and corporate variety) that they want
to do all of their apt traffic over HTTPS to avoid people snooping on
which packages various machines are installing.  We already have some
minimal support for this by way of Joey's change in debootstrap 1.0.56:

  * When deboostrapping Debian, and the debian-archive-keyring is not
    available, switch the default mirror to a https url. This way at
    least the CA level of security is available even for users who
    have no way to check gpg keys in the WoT. The https mirror is
    currently https://mirrors.kernel.org/debian.

Now, the next thing on my list to work on is choose-mirror: you should
be able to pass mirror/protocol=https and have it offer you HTTPS
mirrors if it knows about any, and otherwise just ask you to enter
mirror information manually.  I suspect that in reality most users of
this feature would have an internal mirror, but it would be good to
offer public mirrors where we know about them too.

Would it be possible, then, to add "Archive-https: /debian/" to the
"Site: mirrors.kernel.org" stanza in Mirrors.masterlist, and perhaps
start maintaining Archive-https fields for other mirrors willing to
participate?  That would at least get a minimal list started for this
mode.

(And yes, I know that this is only of any actual use if we do
certificate checks.  Right now the way I have things hooked up is that
you can add certificates to the d-i initramfs, either by rebuilding with
SSL_CERTS set in build/config/local or by concatenating another
initramfs-format archive of c_rehash-ed certificates unpacking to
/usr/lib/ssl/certs; or else debian-installer/allow_unauthenticated=false
will imply no certificate checking.  You have to supply GNU wget anyway,
since busybox wget doesn't speak HTTPS.  If more people than I suspect
want to use this then we might want to consider something with
ca-certificates, but I felt that was overkill for now and it certainly
involved more thinking about policy than I wanted to do.)

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Colin Watson <cjwatson@debian.org>
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Luca Capello <luca@pca.it>

Prev by Date: Bug#628991: Repeated, some more info, patch
Next by Date: Re: HTTPS metadata in Mirrors.masterlist?
Previous by thread: Bug#628991: Repeated, some more info, patch
Next by thread: Re: HTTPS metadata in Mirrors.masterlist?
Index(es):
- Date
- Thread