Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects

To: Mauricio Oliveira <mauricio.oliveira@canonical.com>, 913740@bugs.debian.org
Subject: Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
From: Philipp Kern <pkern@debian.org>
Date: Wed, 21 Nov 2018 22:02:13 +0100
Message-id: <[🔎] ca0eca41-52bf-df56-e1fb-32dc11cd2c79@debian.org>
Reply-to: Philipp Kern <pkern@debian.org>, 913740@bugs.debian.org
In-reply-to: <[🔎] CAO9xwp2aq0k1wib0WK_xHZPps2SzCzZZtY=JtNz-oJ+sj2bPrA@mail.gmail.com>
References: <[🔎] CAO9xwp2uUQgS0CUhPss=qqUJtHqP6vmLmvmpJ+Vb79uKnjcyWw@mail.gmail.com> <[🔎] 99119b4c84f1d9da638e6834ecda7412@debian.org> <[🔎] CAO9xwp2uUQgS0CUhPss=qqUJtHqP6vmLmvmpJ+Vb79uKnjcyWw@mail.gmail.com> <[🔎] CAO9xwp2aq0k1wib0WK_xHZPps2SzCzZZtY=JtNz-oJ+sj2bPrA@mail.gmail.com> <[🔎] CAO9xwp2uUQgS0CUhPss=qqUJtHqP6vmLmvmpJ+Vb79uKnjcyWw@mail.gmail.com>

Am 21.11.2018 um 15:47 schrieb Mauricio Oliveira:
>> [...] I will note that it's also possible to copy additional
>> root certificates into the initrd pre-install. (At least it used to work
>> before HTTPS was generally available.)
> It looks like this requires rebuilding the initrd, which is some extra work
> (and unfortunately it does not allow using the already
> distributed/official files out there), [...]

Linux support specifying multiple files to be loaded as an initrd[1]. In
that case the content is merged and you can keep reusing the distributed
files, just adding your root certificates on top.

Yes, it requires extra work. So does preseeding.

Now maybe the argument is that there could be mirrors outside of your
control that redirect you to HTTPS and the root of trust is the GPG key
material embedded into the initrd. That's a fair point but I will note
that you did not actually list a use case, you just reported what didn't
work.

I guess I don't really object to your patch and am mostly questioning
the existence of the option in this day and age, which then means people
are encouraged to enable that rather than setup their infrastructure
correctly. But there might still be value in having that option
available with some signage on how to do it right.

Kind regards
Philipp Kern

[1] In EFI mode Linux is the one requesting the files. Otherwise the
boot loader can provide them, which works fine at least with grub and iPXE.

Reply to:

Follow-Ups:
- Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
  - From: Mauricio Oliveira <mauricio.oliveira@canonical.com>

References:
- Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
  - From: Mauricio Oliveira <mauricio.oliveira@canonical.com>
- Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
  - From: Philipp Kern <pkern@debian.org>
- Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
  - From: Mauricio Oliveira <mauricio.oliveira@canonical.com>

Prev by Date: Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
Next by Date: Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
Previous by thread: Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
Next by thread: Bug#913740: fetch-url does not use --no-check-certificate on HTTP to HTTPS redirects
Index(es):
- Date
- Thread