Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects

[Mauricio Oliveira <mauricio.oliveira@canonical.com>]

Hi Philipp,

On Thu, Nov 15, 2018 at 7:21 AM Philipp Kern <pkern@debian.org> wrote:
[...]
> Why do we need to build out this insecure option more rather than the
> target having supported SSL certificates (now that Let's Encrypt and
> friends exist)? [...]

Point taken, however this seems orthogonal to the current problem,
which is the 'allow_unauthenticated_ssl=true' option it not used even
if the user requests it, in the particular case of HTTP-HTTPS redirect.

That is a problem.  Of course, not using of valid/supported SSL certificates
_may_ be _another_ problem, i.e., a security concern, but it's arguably not so
in some scenarios, e.g., restricted-access and test/debug environments.
In this case, the latter problem may be _acceptable), but the former problem
prevents it from even being _usable_ regardless of the user's choice/decision.

So, I can certainly appreciate the point you brought up about it,
but I believe this is more of fixing a corner/particular case bug
that is not yet covered for a functionality that is already in place.

> [...] I will note that it's also possible to copy additional
> root certificates into the initrd pre-install. (At least it used to work
> before HTTPS was generally available.)

It looks like this requires rebuilding the initrd, which is some extra work
(and unfortunately it does not allow using the already
distributed/official files out there),
and someone can also decide to do that for the case without
HTTP->HTTPS redirect,
so not really particular to this problem/bug report itself, if I
understand it correctly.

Hope this helps!

Best regards,

-- 
Mauricio Faria de Oliveira