[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#775454: Allow user blocking of https fallback

On Fri, 2015-05-15 at 04:58 +0200, Cyril Brulebois wrote:
> Control: tag -1 pending
> 
> jnqnfe <jnqnfe@gmail.com> (2015-01-15):
> > Package: debootstrap
> > Severity: important
> > Tags: security patch
> > 
> > In the event of a GPG keyring not being found, debootstrap may fallback
> > to the alternative security of an https mirror.
> > 
> > Users lacking the requisite GPG keyring file (or perhaps just making a
> > typo in their parameters) may not necessarily be satisfied with the
> > security of https. They might like a choice of simply receiving an error
> > instead, prompting them to investigate and resolve the missing keyring
> > issue, and should not be expected to have to take care to watch the log
> > output to check the file was found and if not then terminate the process
> > in such cases.
> > 
> > The attached patch adds a simple new --no-https-fallback parameter to
> > provide users with control over the fallback behaviour.
> > 
> > Note, this patch builds upon my patches for bugs #661501 and #775449; I
> > haven't checked whether conflicts occur if applying it without those
> > already in place, applogies for that, I have a lot of work to do.
> 
> I've implemented a slightly modified version of your patch. Feel free to
> follow up in case I missed something:
>   https://anonscm.debian.org/cgit/d-i/debootstrap.git/commit/?id=be99f7b
> 
> Mraw,
> KiBi.

Looks good to me! :)
Reply to: