Bug#842040: Please add https support

To: Philipp Kern <pkern@debian.org>
Cc: 842040@bugs.debian.org, Marga Manterola <marga@google.com>
Subject: Bug#842040: Please add https support
From: Cyril Brulebois <kibi@debian.org>
Date: Sun, 20 Nov 2016 11:45:05 +0100
Message-id: <[🔎] 20161120104505.GB26846@mraw.org>
Reply-to: Cyril Brulebois <kibi@debian.org>, 842040@bugs.debian.org
In-reply-to: <[🔎] bf1aff4f-1ff8-8e1c-a20c-0027d7da9134@philkern.de>
References: <CAM+PWT2rpx_7qTL=Vga8RgDWiyryxkcxpErphFWsAyZNe6Vqxw@mail.gmail.com> <c811bfb8-bb42-84b5-e7d2-5e42ac0a5908@debian.org> <[🔎] 20161120045214.GD21968@mraw.org> <[🔎] bf1aff4f-1ff8-8e1c-a20c-0027d7da9134@philkern.de>

Philipp Kern <pkern@debian.org> (2016-11-20):
> On 20.11.2016 05:52, Cyril Brulebois wrote:
> > Well, I think this is a crucial issue: what use case(s) are you trying
> > to fix? “We want https” isn't clear to me.
> 
> After d-i has installed the system, we use HTTPS with client
> certificates - using apt-transport-https. The use case there is
> authentication and be allowed to fetch packages from any network,
> including the Internet. During d-i we unfortunately still have to rely
> on network trust, where we run against the company policy of not having
> unencrypted services. Plus we'd need to have various non-HTTPS endpoints
> (packages, configuration, images[1]) in addition to the HTTPS ones we
> already have, which complicates maintenance. You'd think that we aren't
> the only ones who'd host configuration behind a HTTPS server, though[2].
> That we also serve all of the packages through HTTPS is just a byproduct.
> 
> > Besides wget supporting https, is there any work needed on the retriever
> > side? What about trust chains, do you have any bundled list of trusted
> > CAs? Do you want to be able to rebuild d-i with a specific trusted CA,
> > and trust none by default?
> 
> I can say what works for us: adding another cpio archive to the netboot
> that contains files in /etc/ssl/certs (PEM files plus the result of
> c_rehash). You can pass multiple initrds to the kernel and it will
> unpack them one by one, which easily allows to add more files and
> overwrite existing ones (but not to remove files, AFAIK). It's not
> really much worse than other bits of configuration, like preseeds.
> Embedding another binary like wget and not just scripts, however, is
> more tricky (getting dependencies right, fighting against mklibs
> removing symbols - which I guess was... fixed).
> 
> But you are absolutely correct in for this to be universally useful,
> we'd also need a ca-certificates-udeb. I can take a look at that but I
> somewhat fear that it won't be that much smaller than the regular one
> (maybe ~150k udeb size).

If you're going to need another cpio archive with PEM files, can't you
just add the needed bits (wget & libraries) for https there?

Adding packages for every single image just so that Google people can
append a cpio archive with some CAs doesn't look too reasonable to me:
you need to do extra work on your end anyway, and everybody pays that
price without getting any advantage…


KiBi.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#842040: Please add https support
  - From: Philipp Kern <pkern@debian.org>

References:
- Bug#842040: Please add https support
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#842040: Please add https support
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Bug#806984: debian-installer: FTBFS: File not found:libtextwrap.so.1
Next by Date: Bug#842040: Please add https support
Previous by thread: Bug#842040: Please add https support
Next by thread: Bug#842040: Please add https support
Index(es):
- Date
- Thread