On Tue, Feb 11, 2014 at 01:04:29PM +0000, Colin Watson wrote: > I'm working on adding HTTPS support to d-i. Now, I know that we already > have integrity by way of the GPG signature chain, but this isn't for > that; this is in response to feedback Canonical has had from some Ubuntu > customers (typically of the large and corporate variety) that they want > to do all of their apt traffic over HTTPS to avoid people snooping on > which packages various machines are installing. We already have some > minimal support for this by way of Joey's change in debootstrap 1.0.56: > > * When deboostrapping Debian, and the debian-archive-keyring is not > available, switch the default mirror to a https url. This way at > least the CA level of security is available even for users who > have no way to check gpg keys in the WoT. The https mirror is > currently https://mirrors.kernel.org/debian. > > Now, the next thing on my list to work on is choose-mirror: you should > be able to pass mirror/protocol=https and have it offer you HTTPS > mirrors if it knows about any, and otherwise just ask you to enter > mirror information manually. I suspect that in reality most users of > this feature would have an internal mirror, but it would be good to > offer public mirrors where we know about them too. > > Would it be possible, then, to add "Archive-https: /debian/" to the > "Site: mirrors.kernel.org" stanza in Mirrors.masterlist, and perhaps > start maintaining Archive-https fields for other mirrors willing to > participate? That would at least get a minimal list started for this > mode. > > (And yes, I know that this is only of any actual use if we do > certificate checks. Right now the way I have things hooked up is that > you can add certificates to the d-i initramfs, either by rebuilding with > SSL_CERTS set in build/config/local or by concatenating another > initramfs-format archive of c_rehash-ed certificates unpacking to > /usr/lib/ssl/certs; or else debian-installer/allow_unauthenticated=false > will imply no certificate checking. You have to supply GNU wget anyway, > since busybox wget doesn't speak HTTPS. If more people than I suspect > want to use this then we might want to consider something with > ca-certificates, but I felt that was overkill for now and it certainly > involved more thinking about policy than I wanted to do.)
I managed to typo debian-mirr...@lists.debian.org as debian-mirr...@lists.kernel.org, bafflingly. Following up with full quoting so that both lists have it ... Thanks, -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140211134553.ga20...@riva.ucam.org
