Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
Am Freitag, den 23.02.2018, 20:17 +0100 schrieb Raphael Hertzog: > Control: tag -1 + pending > > On Fri, 23 Feb 2018, Kristian Klausen wrote: > > Busybox version of wget does not check the certificate at all, > > which defeat the purpose of https. > > Tested with (on testing): busybox wget 'https://untrusted-root.bads > > sl.com/' and busybox wget 'https://expired.badssl.com/' > > At the same time, ca-certificates is not embedded in the initrd > either so > certificates could not be checked. And the purpose of https is two- > fold: > privacy due to encryption (we have that), and authentication with > certificates (we don't have that). > > I don't even know where live-boot is using URL and what for. But I > have > committed the patch. The fetch= and httpfs= live-boot parameter take URLs. -- Benjamin Drung System Developer Debian & Ubuntu Developer ProfitBricks GmbH Greifswalder Str. 207 D - 10405 Berlin Email: benjamin.dr...@profitbricks.com URL: https://www.profitbricks.de Sitz der Gesellschaft: Berlin Registergericht: Amtsgericht Charlottenburg, HRB 125506 B Geschäftsführer: Achim Weiss, Matthias Steinberg
Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
Control: tag -1 + pending On Fri, 23 Feb 2018, Kristian Klausen wrote: > Busybox version of wget does not check the certificate at all, which defeat > the purpose of https. > Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/' > and busybox wget 'https://expired.badssl.com/' At the same time, ca-certificates is not embedded in the initrd either so certificates could not be checked. And the purpose of https is two-fold: privacy due to encryption (we have that), and authentication with certificates (we don't have that). I don't even know where live-boot is using URL and what for. But I have committed the patch. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Processed: Re: Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
Processing control commands: > tag -1 + pending Bug #885455 [src:live-boot] live-boot: Please drop wget from initrd (busybox provides wget) Added tag(s) pending. -- 885455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885455 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
> > Am Mittwoch, den 21.02.2018, 10:08 +0100 schrieb Raphael Hertzog: > > Hello, > > > > On Wed, 27 Dec 2017, Benjamin Drung wrote: > > > The wget binary depends on many libraries. On Debian 9 (stretch) > > > these > > > are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, > > > libnettle6, > > > libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 > > > megabytes. > > > This increases the initramfs size a lot. To save space, use wget > > > from > > > busybox instead. Commit 4328832d0 that adds wget does not give a > > > reason > > > why busybox's wget is not used. A patch is tested and attached. > > > > The usual reason is for "https" support. Have you tried to use https > > URLs in the various places where we can use URLs? > > Okay. I did some tests in a minimal schroot environment: > > (stretch)root@konstrukt:~# dpkg -s busybox | grep ^Version > Version: 1:1.22.0-19+b3 > (stretch)root@konstrukt:~# busybox wget https://bugs.debian.org/ > wget: not an http or ftp url: https://bugs.debian.org/ > > (buster)root@konstrukt:~# dpkg -s busybox | grep ^Version > Version: 1:1.27.2-2 > (buster)root@konstrukt:~# busybox wget https://bugs.debian.org/ > Connecting to bugs.debian.org (209.87.16.39:443) > Connecting to www.debian.org (5.153.231.4:443) > index.html 100% |***| 18089 0:00:00 ETA > > So busybox in stretch does not support HTTPS, but it supports HTTPS in > testing/unstable. Busybox version of wget does not check the certificate at all, which defeat the purpose of https. Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/' and busybox wget 'https://expired.badssl.com/' - Kristian
Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
Am Mittwoch, den 21.02.2018, 10:08 +0100 schrieb Raphael Hertzog: > Hello, > > On Wed, 27 Dec 2017, Benjamin Drung wrote: > > The wget binary depends on many libraries. On Debian 9 (stretch) > > these > > are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, > > libnettle6, > > libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 > > megabytes. > > This increases the initramfs size a lot. To save space, use wget > > from > > busybox instead. Commit 4328832d0 that adds wget does not give a > > reason > > why busybox's wget is not used. A patch is tested and attached. > > The usual reason is for "https" support. Have you tried to use https > URLs in the various places where we can use URLs? Okay. I did some tests in a minimal schroot environment: (stretch)root@konstrukt:~# dpkg -s busybox | grep ^Version Version: 1:1.22.0-19+b3 (stretch)root@konstrukt:~# busybox wget https://bugs.debian.org/ wget: not an http or ftp url: https://bugs.debian.org/ (buster)root@konstrukt:~# dpkg -s busybox | grep ^Version Version: 1:1.27.2-2 (buster)root@konstrukt:~# busybox wget https://bugs.debian.org/ Connecting to bugs.debian.org (209.87.16.39:443) Connecting to www.debian.org (5.153.231.4:443) index.html 100% |***| 18089 0:00:00 ETA So busybox in stretch does not support HTTPS, but it supports HTTPS in testing/unstable. I also verified that running wget on a https URL inside the minimal boot=live initramfs works. -- Benjamin Drung System Developer Debian & Ubuntu Developer ProfitBricks GmbH Greifswalder Str. 207 D - 10405 Berlin Email: benjamin.dr...@profitbricks.com URL: https://www.profitbricks.de Sitz der Gesellschaft: Berlin Registergericht: Amtsgericht Charlottenburg, HRB 125506 B Geschäftsführer: Achim Weiss, Matthias Steinberg
Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
Hello, On Wed, 27 Dec 2017, Benjamin Drung wrote: > The wget binary depends on many libraries. On Debian 9 (stretch) these > are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, libnettle6, > libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 megabytes. > This increases the initramfs size a lot. To save space, use wget from > busybox instead. Commit 4328832d0 that adds wget does not give a reason > why busybox's wget is not used. A patch is tested and attached. The usual reason is for "https" support. Have you tried to use https URLs in the various places where we can use URLs? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)
Source: live-boot Version: 1:20170623 Severity: normal Tags: patch Hi, The wget binary depends on many libraries. On Debian 9 (stretch) these are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, libnettle6, libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 megabytes. This increases the initramfs size a lot. To save space, use wget from busybox instead. Commit 4328832d0 that adds wget does not give a reason why busybox's wget is not used. A patch is tested and attached. -- Benjamin Drung System Developer Debian & Ubuntu Developer ProfitBricks GmbH Greifswalder Str. 207 D - 10405 Berlin Email: benjamin.dr...@profitbricks.com URL: https://www.profitbricks.de Sitz der Gesellschaft: Berlin Registergericht: Amtsgericht Charlottenburg, HRB 125506 B Geschäftsführer: Achim Weiss, Matthias Steinberg >From d17fb6226a7f99d98b4a39275e85f31a762868b9 Mon Sep 17 00:00:00 2001 From: Benjamin Drung Date: Tue, 19 Dec 2017 16:06:58 +0100 Subject: [PATCH] Drop wget (busybox provides wget) The wget binary depends on many libraries. On Debian 9 (stretch) these are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, libnettle6, libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 megabytes. This increases the initramfs size a lot. To save space, use wget from busybox instead. Commit 4328832d0 that adds wget does not give a reason why busybox's wget is not used. --- backend/initramfs-tools/live.hook | 7 --- 1 file changed, 7 deletions(-) diff --git a/backend/initramfs-tools/live.hook b/backend/initramfs-tools/live.hook index 9af9eea..41811c3 100755 --- a/backend/initramfs-tools/live.hook +++ b/backend/initramfs-tools/live.hook @@ -139,13 +139,6 @@ then copy_exec /bin/udevadm fi -# Program: wget -if [ -x /usr/bin/wget ] -then - [ "${QUIET}" ] || echo -n " wget" - copy_exec /usr/bin/wget /bin -fi - # Program: blockdev if [ -x /sbin/blockdev ] then -- 2.14.1