Control: tag -1 + pending
On Fri, 23 Feb 2018, Kristian Klausen wrote:
> Busybox version of wget does not check the certificate at all, which defeat
> the purpose of https.
> Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/'
> and busybox wget 'https://expired.badssl.com/'
At the same time, ca-certificates is not embedded in the initrd either so
certificates could not be checked. And the purpose of https is two-fold:
privacy due to encryption (we have that), and authentication with
certificates (we don't have that).
I don't even know where live-boot is using URL and what for. But I have
committed the patch.
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/