[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS metadata in Mirrors.masterlist?

On Tue, Feb 11, 2014 at 01:45:53PM +0000, Colin Watson wrote:
> > 
> > (And yes, I know that this is only of any actual use if we do
> > certificate checks.  Right now the way I have things hooked up is that
> > you can add certificates to the d-i initramfs, either by rebuilding with
> > SSL_CERTS set in build/config/local or by concatenating another
> > initramfs-format archive of c_rehash-ed certificates unpacking to
> > /usr/lib/ssl/certs; or else debian-installer/allow_unauthenticated=false
> > will imply no certificate checking.  You have to supply GNU wget anyway,
> > since busybox wget doesn't speak HTTPS.  If more people than I suspect
> > want to use this then we might want to consider something with
> > ca-certificates, but I felt that was overkill for now and it certainly
> > involved more thinking about policy than I wanted to do.)

So the first question I have about this if we can get
ftp.TLD.debian.org certificates for this, and what happens when
that host is down and DNS gets pointed to a different host?

I have to guess that we should only do that on the hostname that
is not ftp.TLD.debian.org, while I think it now only shows that
name?


Kurt
Reply to: