[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#842040: Please add https support

On 11/20/2016 12:10 PM, Julien Cristau wrote:
> I think until there's a ca-certificates-udeb, adding wget for https in
> all images isn't reasonable, vs google rebuilding d-i with added wget
> and the PEM bits you need.  I guess ca-certificates-udeb would need some
> way to preseed a list of trusted CAs.

I just tried it out with the following patch to the base package list:

diff --git a/build/pkg-lists/base b/build/pkg-lists/base
index 3da0e4c..6f1d955 100644
--- a/build/pkg-lists/base
+++ b/build/pkg-lists/base
@@ -25,3 +25,6 @@ ca-certificates-udeb

 libkmod2-udeb [linux]
 kldutils-udeb [kfreebsd]

choose-mirror does not ask for the protocol by default, as the question
is priority medium. I did my installation by passing priority=medium on
the command-line, but you could as well preseed the protocol to https I
think. In that case it does not show a list of mirrors (because
Mirrorlist does not list https capabilities), but works just fine with
deb.debian.org, which points to Cloudfront for HTTPS support. d-i
component load worked, debootstrap worked and the resulting chroot had
apt-transport-https and a sources.list pointing to
https://deb.debian.org. The security archive was added without https,
but that's unavoidable at this point given that it does not actually
support it.

As for not breaking orion5x images, I suppose the following could do the

diff --git a/build/pkg-lists/netboot/armel/orion5x.cfg
index 9fc7584..c0c8b83 100644
--- a/build/pkg-lists/netboot/armel/orion5x.cfg
+++ b/build/pkg-lists/netboot/armel/orion5x.cfg
@@ -1,2 +1,6 @@
 # To control the LED and beeper on Buffalo devices
+# Do not include HTTPS support to keep the image small.
+wget-udeb -
+ca-certificates-udeb -

However this is untested on armel because abel died on me when I tried
to set up my chroot and debian-installer does not support
cross-compilation. I tried out the same through amd64.cfg, overriding
base and it worked for me.

So I suppose this should be ok to commit and push?

Kind regards and thanks
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: