* Mattia Rizzolo [Fri Jul 03, 2015 at 09:12:46AM +0000]: > On Fri, Jul 03, 2015 at 10:39:52AM +0200, Michael Prokop wrote: > > * Mattia Rizzolo [Fri Jul 03, 2015 at 07:44:19AM +0000]: > > > On Tue, Jun 30, 2015 at 10:54:18AM +0200, Michael Prokop wrote:
[MIRRORSITE setup with https] > > Yes, apt-transport-https is indeed needed and that's what I'm doing > > to set up the build envs: > > | /usr/sbin/cowbuilder --create [,,,] --debootstrapopts > > --include=apt-transport-https,ca-certificates > > ca-certificates isn't explicitely needed because it seems to be > > pulled in anyway, but maybe we should add it explicitely as well, > > what do you think? > ca-certificates is a recommends of libcurl3-gnutls which is in turn a > dependency of apt-transport-https. the chroots created by pbuilder disable the > automatic installation of recommends, so you explicitly need it, yes. ACK (JFTR: at least in squeeze ca-certificates is a hard dependency of libcurl3-gnutls so it gets automatically pulled in anyway, as I just verified). > I'm not super happy about having ca-certificates (and that means openssl) in > chroots, though I guess nobody is going to manually install single > certificates > for every host he's going to connect to, and ssl without trusting certs is > useless. What a pain. > Until this is not the default I'm ok, though. Agreed. > > > so if you really want https being automatically detected and used > > > then you also want to add some conditional things that install > > > apt-transport-https if needed. > > Would it be an option to check for usage of https in $MIRRORSITE > > in /usr/lib/pbuilder/pbuilder-createbuildenv and then extend the > > --include=apt option with apt-transport-https accordingly? > not only -createbuildenv, but also -updatebuildenv. There are already a couple > of cases where the installed packages are extended. > And I think we also want to check for https in the chroot's > /etc/apt/sources.list in -updatebuildenv, since a user might have add entries > by hand and now he wants to use them. Oh right, thanks for mentioning that. > But, umh, this is going to be a bit tricky because the first `apt-get update` > is going to fail due to the missing apt-transport-https, and the EXTRAPACKAGES > check is done after that. Right. > Only now I see that you're explicitely installing them in the debootstrap > phase, and not after, e.g. adding them to the EXTRAPACKAGES conf entry. umh. > And as you can read in the comment above the debootstrap invocation (even if > that would mean ignoring the --update use case), adding packages with > --include > is not safe from our pov, so that's not really as easy as I first thought. Ok, that's what I was afraid of. :-/ > Please have a look at those two scripts and try to see if you can think of a > clean solution for this :) I will try to, though I can't promise any ETA currently. My my main concerns for the current handling of pbuilder WRT https is, that even with DEBIAN_FRONTEND=noninteractive and only https entries present in sources.list its installation fails with "Default mirror not found" and prompts for interactive usage, which I consider a pity. Only via preseeding I manage to get pbuilder installed without failing/prompting for mirror selection. My patch prevents the failing pbuilder installation and leaves the apt-transport-https handling to the user. As a first step we could maybe include my current patch and clarify the usage of https WRT apt-transport-https in pbuilder's documentation? This at least slightly improves situation for users of https-only sources.list and we later on we can further improve the situation. What do you think? PS: Interestingly with # echo "pbuilder mirrorsite select https://debian..../debian"; | debconf-set-selections I still end up with "MIRRORSITE=http://cdn.debian.net/debian"; in /etc/pbuilderrc, didn't investigate closer though. regards, -mika-
signature.asc
Description: Digital signature
