On Sun, Nov 20, 2016 at 11:52:09 +0100, Philipp Kern wrote: > On 20.11.2016 11:45, Cyril Brulebois wrote: > >> But you are absolutely correct in for this to be universally useful, > >> we'd also need a ca-certificates-udeb. I can take a look at that but I > >> somewhat fear that it won't be that much smaller than the regular one > >> (maybe ~150k udeb size). > > > > If you're going to need another cpio archive with PEM files, can't you > > just add the needed bits (wget & libraries) for https there? > > > > Adding packages for every single image just so that Google people can > > append a cpio archive with some CAs doesn't look too reasonable to me: > > you need to do extra work on your end anyway, and everybody pays that > > price without getting any advantage… > > Well, I said why adding wget plus somehow determining the required > libraries is harder than just adding some static content.[1] We also > wouldn't need to do the PEM cpio dance if ca-certificates-udeb would be > part of the image. We don't need to add an internal CA or something like > that. > I think until there's a ca-certificates-udeb, adding wget for https in all images isn't reasonable, vs google rebuilding d-i with added wget and the PEM bits you need. I guess ca-certificates-udeb would need some way to preseed a list of trusted CAs.
Cheers, Julien
