Christian PERRIER <bubu...@debian.org> writes: > Quoting Kernc (kernc...@gmail.com): >> Package: debian-installer >> Version: 20121114 >> Severity: normal >> >> Dear Maintainer, >> >> When running automatic installation with preseed file, the installer >> fails to download the preseed config file if provided from a HTTPS >> location, e.g. >> preseed/url=https://raw.github.com/kernc/linux-home/master/debfix-preseed.cfg >> >> The limitation is that of BusyBox's wget, which doesn't handle >> HTTPS. >> >> Since original wget is part of base install and thus inherently >> present on the medium, can't it somehow be used instead of the >> BusyBox version? > > It's too early in the installation process to have wget ready and > installed when the preseed file is gathered. I don't know if busybox > wget can be enabled with HTTPS but I doubt we do it (as it will > probably require adding SSL libraries as well). > > In short, I very much doubt that https gathering of preseed files is > easy to achieve.
One is prompted to ask why this is important -- do you want HTTPS because you're concerned about privacy, or concerned about the possibility of someone mounting a man-in-the-middle attack and providing alternative preseed files, or just because you're not currently running anything but an HTTPS server? Some of those aims should be achievable by using HTTP based preseed files, and then checking them using gpgv before loading them. Of course you need to have a trusted way of getting the keys you trust onto the install machine, but the same goes for the HTTPS server keys that you'd need to trust. That could be as little as showing the fingerprint of the key to the user, and asking them to verify it against a piece of paper (as long as the d-i image that caused the fingerprint to be shown is trusted) -- or just having the keys on the CD or USB stick that you're installing from, say. PXE booting (unless it has authentication) means that you cannot trust what's on the machine anyway ... at least not if you distrust your network enough to want HTTPS. There are the beginnings of some preseed scripts that would allow this sort of checking, but without the actual gpg stuff yet, here: http://hands.com/d-i/ http://hands.com/d-i/squeeze/ with the missing bit of the jigsaw being here: http://hands.com/d-i/squeeze/checksigs.sh which should ensure that gpgv is available, and then use it to check that a downloaded file of checksums is signed by a signature that we trust, and then use the checksums in that file for each of the matching files as it downloads them ... but all of that's missing at present. It should be possible to do all that in a script that then needs no changes, such that the checksum can be set once and for all in: http://hands.com/d-i/squeeze/preseed.cfg which is what starts the ball rolling. If you have a need for this, please feel free to add the missing pieces (or pay/beg me to do so ;-) ), as then we'll be able to have a framework for safely publishing example preseed recipes on debian.org Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
pgp8PkTej0Tw8.pgp
Description: PGP signature
