[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#842040: Please add https support

Philipp Kern <pkern@debian.org> (2016-11-20):
> On 20.11.2016 05:52, Cyril Brulebois wrote:
> > Well, I think this is a crucial issue: what use case(s) are you trying
> > to fix? “We want https” isn't clear to me.
> After d-i has installed the system, we use HTTPS with client
> certificates - using apt-transport-https. The use case there is
> authentication and be allowed to fetch packages from any network,
> including the Internet. During d-i we unfortunately still have to rely
> on network trust, where we run against the company policy of not having
> unencrypted services. Plus we'd need to have various non-HTTPS endpoints
> (packages, configuration, images[1]) in addition to the HTTPS ones we
> already have, which complicates maintenance. You'd think that we aren't
> the only ones who'd host configuration behind a HTTPS server, though[2].
> That we also serve all of the packages through HTTPS is just a byproduct.
> > Besides wget supporting https, is there any work needed on the retriever
> > side? What about trust chains, do you have any bundled list of trusted
> > CAs? Do you want to be able to rebuild d-i with a specific trusted CA,
> > and trust none by default?
> I can say what works for us: adding another cpio archive to the netboot
> that contains files in /etc/ssl/certs (PEM files plus the result of
> c_rehash). You can pass multiple initrds to the kernel and it will
> unpack them one by one, which easily allows to add more files and
> overwrite existing ones (but not to remove files, AFAIK). It's not
> really much worse than other bits of configuration, like preseeds.
> Embedding another binary like wget and not just scripts, however, is
> more tricky (getting dependencies right, fighting against mklibs
> removing symbols - which I guess was... fixed).
> But you are absolutely correct in for this to be universally useful,
> we'd also need a ca-certificates-udeb. I can take a look at that but I
> somewhat fear that it won't be that much smaller than the regular one
> (maybe ~150k udeb size).

If you're going to need another cpio archive with PEM files, can't you
just add the needed bits (wget & libraries) for https there?

Adding packages for every single image just so that Google people can
append a cpio archive with some CAs doesn't look too reasonable to me:
you need to do extra work on your end anyway, and everybody pays that
price without getting any advantage…


Attachment: signature.asc
Description: Digital signature

Reply to: