Control: tag -1 pending jnqnfe <jnq...@gmail.com> (2015-01-15): > Package: debootstrap > Severity: important > Tags: security patch > > In the event of a GPG keyring not being found, debootstrap may fallback > to the alternative security of an https mirror. > > Users lacking the requisite GPG keyring file (or perhaps just making a > typo in their parameters) may not necessarily be satisfied with the > security of https. They might like a choice of simply receiving an error > instead, prompting them to investigate and resolve the missing keyring > issue, and should not be expected to have to take care to watch the log > output to check the file was found and if not then terminate the process > in such cases. > > The attached patch adds a simple new --no-https-fallback parameter to > provide users with control over the fallback behaviour. > > Note, this patch builds upon my patches for bugs #661501 and #775449; I > haven't checked whether conflicts occur if applying it without those > already in place, applogies for that, I have a lot of work to do.
I've implemented a slightly modified version of your patch. Feel free to follow up in case I missed something: https://anonscm.debian.org/cgit/d-i/debootstrap.git/commit/?id=be99f7b Mraw, KiBi.
signature.asc
Description: Digital signature
