Bug#891009: debootstrap: wrongly falls back to https://deb.debian.org when try to create Ubuntu chroot

2024-02-14 Thread Ken Sharp 

This should be fixed in the next release.
https://salsa.debian.org/installer-team/debootstrap/-/commit/7e5923030e331f466ec1b56d875b023a274e9220


OpenPGP_signature.asc
Description: OpenPGP digital signature

Bug#891009: debootstrap: wrongly falls back to https://deb.debian.org when try to create Ubuntu chroot

2018-08-03 Thread Hideki Yamane 
On Wed, 21 Feb 2018 22:31:02 +0900 Hideki Yamane  wrote:
> And, https assures only secure *connection*, not integrity of *contents*
> as GPG does, so this behavior is not good, IMO. 

 As I said above, what https ensures and gpg does is different, and "if
 there's no reliable keyring then fallback to https connection" behavior
 is not good. I suggest to remove this feature from debootstrap, do you
 have any idea for it? If so, please let me know it and why.


-- 
Hideki Yamane

Bug#891009: debootstrap: wrongly falls back to https://deb.debian.org when try to create Ubuntu chroot

2018-02-21 Thread Hideki Yamane 
Package: debootstrap
Severity: normal
Vesrion: 1.0.56

Hi,

 If you try "debootstrap  ", it automatically falls
 back to pre-defined HTTPS mirror. 

> keyring () {
> if [ -z "$KEYRING" ]; then
> if [ -e "$1" ]; then
> KEYRING="$1"
> elif [ -z "$DISABLE_KEYRING" ]; then
> if [ -n "$DEF_HTTPS_MIRROR" ] && [ -z "$USER_MIRROR" 
> ] && [ -z "$FORCE_KEYRING" ]; then
> info KEYRING "Keyring file not available at 
> %s; switching to https mirror %s" "$1" "$DEF_HTTPS_MIRROR"
> USER_MIRROR="$DEF_HTTPS_MIRROR"
> else

 But defined DEF_HTTPS_MIRROR is https://deb.debian.org, it fails with
 a bit wrong error message. 

> $ sudo debootstrap artful artful
> I: Keyring file not available at 
> /usr/share/keyrings/ubuntu-archive-keyring.gpg; switching to https mirror 
> https://deb.debian.org/debian
> I: Retrieving InRelease 
> I: Retrieving Release 
> E: Failed getting release file 
> https://deb.debian.org/debian/dists/artful/Release

 Expected behavior is
  - fails with just "Keyring file not available" error message
  - or falls back to Ubuntu https mirror.


 And, https assures only secure *connection*, not integrity of *contents*
 as GPG does, so this behavior is not good, IMO. 


-- 
Regards,

 Hideki Yamane henrich @ debian.org/iijmio-mail.jp