Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS

2017-08-10 Thread Philipp Kern 
On 09.08.2017 04:55, Chris Lamb wrote:
>> debian-installer: BusyBox's wget doesn't preseed from HTTPS
> 
> Whilst this was originally reported in 2013, in late 2017 finding
> *any* internet location that doesn't redirect to HTTPS is extremely
> difficult and will only get more so.
> 
> (Indeed, it wouldn't be too much of a stretch to justify removing
> *non*-HTTP support!)
> 
>> Marga's been looking into this lately, see #802591 & #802596.
> 
> These have now been closed :)

Yup, and should have fixed this issue with them. Explicitly adding Marga
to confirm.

Kind regards
Philipp Kern



signature.asc
Description: OpenPGP digital signature

Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS

2017-08-08 Thread Chris Lamb 
Hi all,

> debian-installer: BusyBox's wget doesn't preseed from HTTPS

Whilst this was originally reported in 2013, in late 2017 finding
*any* internet location that doesn't redirect to HTTPS is extremely
difficult and will only get more so.

(Indeed, it wouldn't be too much of a stretch to justify removing
*non*-HTTP support!)

> Marga's been looking into this lately, see #802591 & #802596.

These have now been closed :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS

2015-10-23 Thread Cyril Brulebois 
Hi Arnaud,

Arnaud Loonstra  (2015-10-23):
> Simply hosting a preseed file on github.com fails, for example fails.
> 
> This was an issue the debian-installer in ubuntu as well but they seemed to
> have added https support. Couldn't it be added to the original installer?
> 
> https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/833994
> 
> * Add HTTPS support to fetch-url, which will only work if d-i has been
> built with GNU wget; debian-installer/allow_unauthenticated_ssl
> implies the --no-check-certificate option (LP: #833994).

Marga's been looking into this lately, see #802591 & #802596. I'm
currently preparing a release (and having various changes outside
Debian) so my free time is rather limited right now.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS

2015-10-23 Thread Arnaud Loonstra 

Simply hosting a preseed file on github.com fails, for example fails.

This was an issue the debian-installer in ubuntu as well but they seemed 
to have added https support. Couldn't it be added to the original 
installer?


https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/833994

* Add HTTPS support to fetch-url, which will only work if d-i has been
built with GNU wget; debian-installer/allow_unauthenticated_ssl
implies the --no-check-certificate option (LP: #833994).

Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS

2013-01-21 Thread Cyril Brulebois 
Philip Hands p...@hands.com (20/01/2013):
 If you have a need for this, please feel free to add the missing pieces
 (or pay/beg me to do so ;-) ), as then we'll be able to have a framework
 for safely publishing example preseed recipes on debian.org

Either way, looks like jessie material.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS

2013-01-20 Thread Philip Hands 
Christian PERRIER bubu...@debian.org writes:

 Quoting Kernc (kernc...@gmail.com):
 Package: debian-installer
 Version: 20121114
 Severity: normal
 
 Dear Maintainer,
 
 When running automatic installation with preseed file, the installer
 fails to download the preseed config file if provided from a HTTPS
 location, e.g.
 preseed/url=https://raw.github.com/kernc/linux-home/master/debfix-preseed.cfg
 
 The limitation is that of BusyBox's wget, which doesn't handle
 HTTPS.
 
 Since original wget is part of base install and thus inherently
 present on the medium, can't it somehow be used instead of the
 BusyBox version?

 It's too  early in the installation process to have wget ready and
 installed when the preseed file is gathered. I don't know if busybox
 wget can be enabled with HTTPS but I doubt we do it (as it will
 probably require adding SSL libraries as well).

 In short, I very much doubt that https gathering of preseed files is
 easy to achieve.

One is prompted to ask why this is important -- do you want HTTPS
because you're concerned about privacy, or concerned about the
possibility of someone mounting a man-in-the-middle attack and providing
alternative preseed files, or just because you're not currently running
anything but an HTTPS server?

Some of those aims should be achievable by using HTTP based preseed
files, and then checking them using gpgv before loading them.

Of course you need to have a trusted way of getting the keys you trust
onto the install machine, but the same goes for the HTTPS server keys
that you'd need to trust.

That could be as little as showing the fingerprint of the key to the
user, and asking them to verify it against a piece of paper (as long as
the d-i image that caused the fingerprint to be shown is trusted) -- or
just having the keys on the CD or USB stick that you're installing from,
say.

PXE booting (unless it has authentication) means that you cannot trust
what's on the machine anyway ... at least not if you distrust your
network enough to want HTTPS.

There are the beginnings of some preseed scripts that would allow this
sort of checking, but without the actual gpg stuff yet, here:

   http://hands.com/d-i/
   http://hands.com/d-i/squeeze/

with the missing bit of the jigsaw being here:

   http://hands.com/d-i/squeeze/checksigs.sh

which should ensure that gpgv is available, and then use it to check
that a downloaded file of checksums is signed by a signature that we
trust, and then use the checksums in that file for each of the matching
files as it downloads them ... but all of that's missing at present.

It should be possible to do all that in a script that then needs no
changes, such that the checksum can be set once and for all in:

   http://hands.com/d-i/squeeze/preseed.cfg

which is what starts the ball rolling.

If you have a need for this, please feel free to add the missing pieces
(or pay/beg me to do so ;-) ), as then we'll be able to have a framework
for safely publishing example preseed recipes on debian.org

Cheers, Phil.
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]http://www.hands.com/
|-|  HANDS.COM Ltd.http://www.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND


pgp8PkTej0Tw8.pgp
Description: PGP signature

Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS

2013-01-19 Thread Kernc 
Package: debian-installer
Version: 20121114
Severity: normal

Dear Maintainer,

When running automatic installation with preseed file, the installer
fails to download the preseed config file if provided from a HTTPS
location, e.g.
preseed/url=https://raw.github.com/kernc/linux-home/master/debfix-preseed.cfg

The limitation is that of BusyBox's wget, which doesn't handle
HTTPS.

Since original wget is part of base install and thus inherently
present on the medium, can't it somehow be used instead of the
BusyBox version?


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAFh6oAy+FCGjhv3zxXCdtqNHPNqZucs=opewmz7gbgepa9f...@mail.gmail.com

Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS

2013-01-19 Thread Christian PERRIER 
Quoting Kernc (kernc...@gmail.com):
 Package: debian-installer
 Version: 20121114
 Severity: normal
 
 Dear Maintainer,
 
 When running automatic installation with preseed file, the installer
 fails to download the preseed config file if provided from a HTTPS
 location, e.g.
 preseed/url=https://raw.github.com/kernc/linux-home/master/debfix-preseed.cfg
 
 The limitation is that of BusyBox's wget, which doesn't handle
 HTTPS.
 
 Since original wget is part of base install and thus inherently
 present on the medium, can't it somehow be used instead of the
 BusyBox version?


It's too  early in the installation process to have wget ready and
installed when the preseed file is gathered. I don't know if busybox
wget can be enabled with HTTPS but I doubt we do it (as it will
probably require adding SSL libraries as well).

In short, I very much doubt that https gathering of preseed files is
easy to achieve.

(please replyto 698...@bugs.debian.org only)



signature.asc
Description: Digital signature