Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS
On 09.08.2017 04:55, Chris Lamb wrote: >> debian-installer: BusyBox's wget doesn't preseed from HTTPS > > Whilst this was originally reported in 2013, in late 2017 finding > *any* internet location that doesn't redirect to HTTPS is extremely > difficult and will only get more so. > > (Indeed, it wouldn't be too much of a stretch to justify removing > *non*-HTTP support!) > >> Marga's been looking into this lately, see #802591 & #802596. > > These have now been closed :) Yup, and should have fixed this issue with them. Explicitly adding Marga to confirm. Kind regards Philipp Kern signature.asc Description: OpenPGP digital signature
Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS
Hi all, > debian-installer: BusyBox's wget doesn't preseed from HTTPS Whilst this was originally reported in 2013, in late 2017 finding *any* internet location that doesn't redirect to HTTPS is extremely difficult and will only get more so. (Indeed, it wouldn't be too much of a stretch to justify removing *non*-HTTP support!) > Marga's been looking into this lately, see #802591 & #802596. These have now been closed :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS
Hi Arnaud, Arnaud Loonstra(2015-10-23): > Simply hosting a preseed file on github.com fails, for example fails. > > This was an issue the debian-installer in ubuntu as well but they seemed to > have added https support. Couldn't it be added to the original installer? > > https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/833994 > > * Add HTTPS support to fetch-url, which will only work if d-i has been > built with GNU wget; debian-installer/allow_unauthenticated_ssl > implies the --no-check-certificate option (LP: #833994). Marga's been looking into this lately, see #802591 & #802596. I'm currently preparing a release (and having various changes outside Debian) so my free time is rather limited right now. Mraw, KiBi. signature.asc Description: Digital signature
Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS
Simply hosting a preseed file on github.com fails, for example fails. This was an issue the debian-installer in ubuntu as well but they seemed to have added https support. Couldn't it be added to the original installer? https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/833994 * Add HTTPS support to fetch-url, which will only work if d-i has been built with GNU wget; debian-installer/allow_unauthenticated_ssl implies the --no-check-certificate option (LP: #833994).
Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS
Philip Hands p...@hands.com (20/01/2013): If you have a need for this, please feel free to add the missing pieces (or pay/beg me to do so ;-) ), as then we'll be able to have a framework for safely publishing example preseed recipes on debian.org Either way, looks like jessie material. Mraw, KiBi. signature.asc Description: Digital signature
Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS
Christian PERRIER bubu...@debian.org writes: Quoting Kernc (kernc...@gmail.com): Package: debian-installer Version: 20121114 Severity: normal Dear Maintainer, When running automatic installation with preseed file, the installer fails to download the preseed config file if provided from a HTTPS location, e.g. preseed/url=https://raw.github.com/kernc/linux-home/master/debfix-preseed.cfg The limitation is that of BusyBox's wget, which doesn't handle HTTPS. Since original wget is part of base install and thus inherently present on the medium, can't it somehow be used instead of the BusyBox version? It's too early in the installation process to have wget ready and installed when the preseed file is gathered. I don't know if busybox wget can be enabled with HTTPS but I doubt we do it (as it will probably require adding SSL libraries as well). In short, I very much doubt that https gathering of preseed files is easy to achieve. One is prompted to ask why this is important -- do you want HTTPS because you're concerned about privacy, or concerned about the possibility of someone mounting a man-in-the-middle attack and providing alternative preseed files, or just because you're not currently running anything but an HTTPS server? Some of those aims should be achievable by using HTTP based preseed files, and then checking them using gpgv before loading them. Of course you need to have a trusted way of getting the keys you trust onto the install machine, but the same goes for the HTTPS server keys that you'd need to trust. That could be as little as showing the fingerprint of the key to the user, and asking them to verify it against a piece of paper (as long as the d-i image that caused the fingerprint to be shown is trusted) -- or just having the keys on the CD or USB stick that you're installing from, say. PXE booting (unless it has authentication) means that you cannot trust what's on the machine anyway ... at least not if you distrust your network enough to want HTTPS. There are the beginnings of some preseed scripts that would allow this sort of checking, but without the actual gpg stuff yet, here: http://hands.com/d-i/ http://hands.com/d-i/squeeze/ with the missing bit of the jigsaw being here: http://hands.com/d-i/squeeze/checksigs.sh which should ensure that gpgv is available, and then use it to check that a downloaded file of checksums is signed by a signature that we trust, and then use the checksums in that file for each of the matching files as it downloads them ... but all of that's missing at present. It should be possible to do all that in a script that then needs no changes, such that the checksum can be set once and for all in: http://hands.com/d-i/squeeze/preseed.cfg which is what starts the ball rolling. If you have a need for this, please feel free to add the missing pieces (or pay/beg me to do so ;-) ), as then we'll be able to have a framework for safely publishing example preseed recipes on debian.org Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560]http://www.hands.com/ |-| HANDS.COM Ltd.http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND pgp8PkTej0Tw8.pgp Description: PGP signature
Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS
Package: debian-installer Version: 20121114 Severity: normal Dear Maintainer, When running automatic installation with preseed file, the installer fails to download the preseed config file if provided from a HTTPS location, e.g. preseed/url=https://raw.github.com/kernc/linux-home/master/debfix-preseed.cfg The limitation is that of BusyBox's wget, which doesn't handle HTTPS. Since original wget is part of base install and thus inherently present on the medium, can't it somehow be used instead of the BusyBox version? -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- no debconf information -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAFh6oAy+FCGjhv3zxXCdtqNHPNqZucs=opewmz7gbgepa9f...@mail.gmail.com
Bug#698528: debian-installer: BusyBox's wget doesn't preseed from HTTPS
Quoting Kernc (kernc...@gmail.com): Package: debian-installer Version: 20121114 Severity: normal Dear Maintainer, When running automatic installation with preseed file, the installer fails to download the preseed config file if provided from a HTTPS location, e.g. preseed/url=https://raw.github.com/kernc/linux-home/master/debfix-preseed.cfg The limitation is that of BusyBox's wget, which doesn't handle HTTPS. Since original wget is part of base install and thus inherently present on the medium, can't it somehow be used instead of the BusyBox version? It's too early in the installation process to have wget ready and installed when the preseed file is gathered. I don't know if busybox wget can be enabled with HTTPS but I doubt we do it (as it will probably require adding SSL libraries as well). In short, I very much doubt that https gathering of preseed files is easy to achieve. (please replyto 698...@bugs.debian.org only) signature.asc Description: Digital signature