[Bug 1135163] Re: d-i can't install against an https mirror

Colin Watson cjwatson at canonical.com
Wed Feb 12 17:15:48 UTC 2014 

I've found one further issue, and a somewhat thorny one.  Where we
resolve it probably depends on upstream response.  It doesn't affect the
"ignore SSL certificates" case, so you may not be so worried about this;
but I do think we need to sort it out.

apt-transport-https uses libcurl to download from HTTPS.  This works
fine if you're using a mirror whose root of trust is in ca-certificates,
or if you've disabled CA certificate checking.  However, we're
specifically using libcurl3-gnutls, and cURL's GnuTLS backend only
supports using a CA bundle, not a directory.  As a result it is awkward
to copy certificates from d-i to the target system.

The options I can think of at the moment are:

 * add CA directory support to cURL's GnuTLS backend (which would make some sense given that wget supports this with GnuTLS)
 * have apt-transport-https scan the CA directory itself manually
 * integrate with ca-certificates to merge the certificates provided to d-i into the bundle (this might be a nice thing to do anyway, since it would place the installer-provided certificates under /usr/local/)

I've added a curl task to this bug to represent the first of these
options, but I'll need to think about this a bit and perhaps discuss it
with some other people.

** Changed in: curl (Ubuntu)
   Importance: Undecided => High

** Changed in: curl (Ubuntu)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-installer in Ubuntu.
https://bugs.launchpad.net/bugs/1135163

Title:
  d-i can't install against an https mirror

Status in “apt-setup” package in Ubuntu:
  In Progress
Status in “base-installer” package in Ubuntu:
  In Progress
Status in “choose-mirror” package in Ubuntu:
  Fix Released
Status in “curl” package in Ubuntu:
  Triaged
Status in “debootstrap” package in Ubuntu:
  Fix Released

Bug description:
  It happens that d-i uses the wget from busybox, and as a result, it
  can't install against an https mirror. This is clearly not intended
  behavior, because apt-config is able to deal with https. Perhaps there
  should be a wget udeb that includes the right bits to have ssl
  support, or alternatively, busybox should support it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt-setup/+bug/1135163/+subscriptions

More information about the foundations-bugs mailing list