Philipp Kern <pkern@debian.org> (2016-11-20): > On 20.11.2016 05:52, Cyril Brulebois wrote: > > Well, I think this is a crucial issue: what use case(s) are you trying > > to fix? “We want https” isn't clear to me. > > After d-i has installed the system, we use HTTPS with client > certificates - using apt-transport-https. The use case there is > authentication and be allowed to fetch packages from any network, > including the Internet. During d-i we unfortunately still have to rely > on network trust, where we run against the company policy of not having > unencrypted services. Plus we'd need to have various non-HTTPS endpoints > (packages, configuration, images[1]) in addition to the HTTPS ones we > already have, which complicates maintenance. You'd think that we aren't > the only ones who'd host configuration behind a HTTPS server, though[2]. > That we also serve all of the packages through HTTPS is just a byproduct. > > > Besides wget supporting https, is there any work needed on the retriever > > side? What about trust chains, do you have any bundled list of trusted > > CAs? Do you want to be able to rebuild d-i with a specific trusted CA, > > and trust none by default? > > I can say what works for us: adding another cpio archive to the netboot > that contains files in /etc/ssl/certs (PEM files plus the result of > c_rehash). You can pass multiple initrds to the kernel and it will > unpack them one by one, which easily allows to add more files and > overwrite existing ones (but not to remove files, AFAIK). It's not > really much worse than other bits of configuration, like preseeds. > Embedding another binary like wget and not just scripts, however, is > more tricky (getting dependencies right, fighting against mklibs > removing symbols - which I guess was... fixed). > > But you are absolutely correct in for this to be universally useful, > we'd also need a ca-certificates-udeb. I can take a look at that but I > somewhat fear that it won't be that much smaller than the regular one > (maybe ~150k udeb size). If you're going to need another cpio archive with PEM files, can't you just add the needed bits (wget & libraries) for https there? Adding packages for every single image just so that Google people can append a cpio archive with some CAs doesn't look too reasonable to me: you need to do extra work on your end anyway, and everybody pays that price without getting any advantage… KiBi.
Attachment:
signature.asc
Description: Digital signature