Bug#842040: Please add https support

To: 842040@bugs.debian.org, Cyril Brulebois <kibi@debian.org>, Martin Michlmayr <tbm@cyrius.com>
Cc: Julien Cristau <jcristau@debian.org>, Marga Manterola <marga@google.com>
Subject: Bug#842040: Please add https support
From: Philipp Kern <pkern@debian.org>
Date: Thu, 8 Dec 2016 09:18:37 +0100
Message-id: <[🔎] 4e53d42f-4913-5226-2073-be2ddf25bdbd@debian.org>
Reply-to: Philipp Kern <pkern@debian.org>, 842040@bugs.debian.org
In-reply-to: <20161120111043.k65kchnwvgypt4x5@betterave.cristau.org>
References: <CAM+PWT2rpx_7qTL=Vga8RgDWiyryxkcxpErphFWsAyZNe6Vqxw@mail.gmail.com> <c811bfb8-bb42-84b5-e7d2-5e42ac0a5908@debian.org> <20161120045214.GD21968@mraw.org> <bf1aff4f-1ff8-8e1c-a20c-0027d7da9134@philkern.de> <20161120104505.GB26846@mraw.org> <706c83a9-12f9-d9d0-e472-f34637f905e5@philkern.de> <20161120111043.k65kchnwvgypt4x5@betterave.cristau.org>

On 11/20/2016 12:10 PM, Julien Cristau wrote:
> I think until there's a ca-certificates-udeb, adding wget for https in
> all images isn't reasonable, vs google rebuilding d-i with added wget
> and the PEM bits you need.  I guess ca-certificates-udeb would need some
> way to preseed a list of trusted CAs.

I just tried it out with the following patch to the base package list:

diff --git a/build/pkg-lists/base b/build/pkg-lists/base
index 3da0e4c..6f1d955 100644
--- a/build/pkg-lists/base
+++ b/build/pkg-lists/base
@@ -25,3 +25,6 @@ ca-certificates-udeb

 libkmod2-udeb [linux]
 kldutils-udeb [kfreebsd]
+
+wget-udeb
+ca-certificates-udeb

choose-mirror does not ask for the protocol by default, as the question
is priority medium. I did my installation by passing priority=medium on
the command-line, but you could as well preseed the protocol to https I
think. In that case it does not show a list of mirrors (because
Mirrorlist does not list https capabilities), but works just fine with
deb.debian.org, which points to Cloudfront for HTTPS support. d-i
component load worked, debootstrap worked and the resulting chroot had
apt-transport-https and a sources.list pointing to
https://deb.debian.org. The security archive was added without https,
but that's unavoidable at this point given that it does not actually
support it.

As for not breaking orion5x images, I suppose the following could do the
trick:

diff --git a/build/pkg-lists/netboot/armel/orion5x.cfg
b/build/pkg-lists/netboot/armel/orion5x.cfg
index 9fc7584..c0c8b83 100644
--- a/build/pkg-lists/netboot/armel/orion5x.cfg
+++ b/build/pkg-lists/netboot/armel/orion5x.cfg
@@ -1,2 +1,6 @@
 # To control the LED and beeper on Buffalo devices
 micro-evtd-udeb
+
+# Do not include HTTPS support to keep the image small.
+wget-udeb -
+ca-certificates-udeb -

However this is untested on armel because abel died on me when I tried
to set up my chroot and debian-installer does not support
cross-compilation. I tried out the same through amd64.cfg, overriding
base and it worked for me.

So I suppose this should be ok to commit and push?

Kind regards and thanks
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#842040: Please add https support
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Processed: cloning 845302, reassign -1 to klibc-utils, block 845302 with -1, reassign -2 to busybox ...
Next by Date: Bug#847446: GRUB\LILO wont install in live mode, only in graphical install
Previous by thread: Processed: cloning 845302, reassign -1 to klibc-utils, block 845302 with -1, reassign -2 to busybox ...
Next by thread: Bug#842040: Please add https support
Index(es):
- Date
- Thread