[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#842040: Please add https support

On 20.11.2016 05:52, Cyril Brulebois wrote:
> Well, I think this is a crucial issue: what use case(s) are you trying
> to fix? “We want https” isn't clear to me.

After d-i has installed the system, we use HTTPS with client
certificates - using apt-transport-https. The use case there is
authentication and be allowed to fetch packages from any network,
including the Internet. During d-i we unfortunately still have to rely
on network trust, where we run against the company policy of not having
unencrypted services. Plus we'd need to have various non-HTTPS endpoints
(packages, configuration, images[1]) in addition to the HTTPS ones we
already have, which complicates maintenance. You'd think that we aren't
the only ones who'd host configuration behind a HTTPS server, though[2].
That we also serve all of the packages through HTTPS is just a byproduct.

> Besides wget supporting https, is there any work needed on the retriever
> side? What about trust chains, do you have any bundled list of trusted
> CAs? Do you want to be able to rebuild d-i with a specific trusted CA,
> and trust none by default?

I can say what works for us: adding another cpio archive to the netboot
that contains files in /etc/ssl/certs (PEM files plus the result of
c_rehash). You can pass multiple initrds to the kernel and it will
unpack them one by one, which easily allows to add more files and
overwrite existing ones (but not to remove files, AFAIK). It's not
really much worse than other bits of configuration, like preseeds.
Embedding another binary like wget and not just scripts, however, is
more tricky (getting dependencies right, fighting against mklibs
removing symbols - which I guess was... fixed).

But you are absolutely correct in for this to be universally useful,
we'd also need a ca-certificates-udeb. I can take a look at that but I
somewhat fear that it won't be that much smaller than the regular one
(maybe ~150k udeb size).

Kind regards and thanks
Philipp Kern

[1] We extended d-i to download image files of system installs.
[2] Thinking of preseed/url across the Internet. I used to need that for
s390x installs.

Reply to: