Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
> > Am Mittwoch, den 21.02.2018, 10:08 +0100 schrieb Raphael Hertzog:
> > Hello,
> >
> > On Wed, 27 Dec 2017, Benjamin Drung wrote:
> > > The wget binary depends on many libraries. On Debian 9 (stretch)
> > > these
> > > are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0,
> > > libnettle6,
> > > libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8
> > > megabytes.
> > > This increases the initramfs size a lot. To save space, use wget
> > > from
> > > busybox instead. Commit 4328832d0 that adds wget does not give a
> > > reason
> > > why busybox's wget is not used. A patch is tested and attached.
> >
> > The usual reason is for "https" support. Have you tried to use https
> > URLs in the various places where we can use URLs?
>
> Okay. I did some tests in a minimal schroot environment:
>
> (stretch)root@konstrukt:~# dpkg -s busybox | grep ^Version
> Version: 1:1.22.0-19+b3
> (stretch)root@konstrukt:~# busybox wget https://bugs.debian.org/
> wget: not an http or ftp url: https://bugs.debian.org/
>
> (buster)root@konstrukt:~# dpkg -s busybox | grep ^Version
> Version: 1:1.27.2-2
> (buster)root@konstrukt:~# busybox wget https://bugs.debian.org/
> Connecting to bugs.debian.org (209.87.16.39:443)
> Connecting to www.debian.org (5.153.231.4:443)
> index.html 100% |***************| 18089 0:00:00 ETA
>
> So busybox in stretch does not support HTTPS, but it supports HTTPS in
> testing/unstable.
Busybox version of wget does not check the certificate at all, which defeat the purpose of https.
Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/' and busybox wget 'https://expired.badssl.com/'
- Kristian
Reply to: