[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

Am Freitag, den 23.02.2018, 20:17 +0100 schrieb Raphael Hertzog:
> Control: tag -1 + pending
> 
> On Fri, 23 Feb 2018, Kristian Klausen wrote:
> > Busybox version of wget does not check the certificate at all,
> > which defeat the purpose of https.
> > Tested with (on testing): busybox wget 'https://untrusted-root.bads
> > sl.com/' and busybox wget 'https://expired.badssl.com/'
> 
> At the same time, ca-certificates is not embedded in the initrd
> either so
> certificates could not be checked. And the purpose of https is two-
> fold:
> privacy due to encryption (we have that), and authentication with
> certificates (we don't have that).
> 
> I don't even know where live-boot is using URL and what for. But I
> have
> committed the patch.

The fetch= and httpfs= live-boot parameter take URLs.

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.drung@profitbricks.com
URL: https://www.profitbricks.de

Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg
Reply to: