Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#860467: apt-setup https protocol support in generators/91security for security mirror
57 views
Skip to first unread message
Daniel Khodaparast
Apr 17, 2017, 7:50:02 AM4/17/17
to
Package: apt-setup
Severity: normal
Dear Maintainer,
This observation resulted from working on a preseed configuration for a Ubuntu install, while attempting to use an internal security mirror we have for security.ubuntu.com. This mirror uses https, which after much debugging/digging is not a supported protocol by apt-setup for security_host and security_path.
Currently in generators/91security there is a bit of hardcoding that forces this to use the http protocol. There is no way to override this like with mirror/protocol. Unfortunately we had to create a non-https mirror of security.ubuntu.com as a stop-gap result.
It would be nice if there was an equivalent way to set this protocol as mirror/protocol. Preferably, this could be apt-setup/security_protocol to coincide with the existing parameters (secuirty_host and security_path).
Example proposed preseed:
d-i apt-setup/services-select multiselect security
d-i apt-setup/security_protocol string https
d-i apt-setup/security_host string internal.mirror.net
d-i apt-setup/security_path string /current/security.ubuntu.com/ubuntu
Example resulting security mirror:
https://internal.mirror.net/current/security.ubuntu.com/ubuntu
This was also requested additionally per a conversation in #ubuntu-devel:
[17:15] <xnox_> DPK_, there is one more key for protocol i think
[17:15] <xnox_> but i can't remember if we ask that for security too, let me check quickly
[17:16] <xnox_> (cause we support http, ftp, https)
[17:17] == sergiusens [~serg...@181.111.178.194] has quit [Remote host closed the connection]
[17:17] <xnox_> DPK_, ha, we do not it is hardcoded to http
[17:17] <xnox_> for the security
[17:18] <xnox_> DPK_, i think you may need to apply sed to either generators/91security during install; or in the install hook; or post install.
[17:18] <xnox_> DPK_, could you please open a bug report against apt-setup requesting to support apt-setup/security_protocol key?
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-66-generic (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Severity: normal
Dear Maintainer,
This observation resulted from working on a preseed configuration for a Ubuntu install, while attempting to use an internal security mirror we have for security.ubuntu.com. This mirror uses https, which after much debugging/digging is not a supported protocol by apt-setup for security_host and security_path.
Currently in generators/91security there is a bit of hardcoding that forces this to use the http protocol. There is no way to override this like with mirror/protocol. Unfortunately we had to create a non-https mirror of security.ubuntu.com as a stop-gap result.
It would be nice if there was an equivalent way to set this protocol as mirror/protocol. Preferably, this could be apt-setup/security_protocol to coincide with the existing parameters (secuirty_host and security_path).
Example proposed preseed:
d-i apt-setup/services-select multiselect security
d-i apt-setup/security_protocol string https
d-i apt-setup/security_host string internal.mirror.net
d-i apt-setup/security_path string /current/security.ubuntu.com/ubuntu
Example resulting security mirror:
https://internal.mirror.net/current/security.ubuntu.com/ubuntu
This was also requested additionally per a conversation in #ubuntu-devel:
[17:15] <xnox_> DPK_, there is one more key for protocol i think
[17:15] <xnox_> but i can't remember if we ask that for security too, let me check quickly
[17:16] <xnox_> (cause we support http, ftp, https)
[17:17] == sergiusens [~serg...@181.111.178.194] has quit [Remote host closed the connection]
[17:17] <xnox_> DPK_, ha, we do not it is hardcoded to http
[17:17] <xnox_> for the security
[17:18] <xnox_> DPK_, i think you may need to apply sed to either generators/91security during install; or in the install hook; or post install.
[17:18] <xnox_> DPK_, could you please open a bug report against apt-setup requesting to support apt-setup/security_protocol key?
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-66-generic (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Cyril Brulebois
Apr 17, 2017, 9:40:03 AM4/17/17
to
Hi Daniel,
Daniel Khodaparast <daniel.kh...@bronto.com> (2017-04-17):
no apt-setup/security_path (“debian-security” is hardcoded).
Adding support for both shouldn't be too hard but:
- we're trying to release stretch, so at some point it would be nice to
stop making changes;
- https support would be a nice addition but lacking it isn't a
regression at this point (as I mentioned on IRC, https support is
rather new); also, should it be automatically set to https if the
main mirror was selected as https?
At this point, I think it would be fair to ask interested people to work
on this in a buster branch, not to be uploaded to unstable until the
release of stretch?
KiBi.
Daniel Khodaparast <daniel.kh...@bronto.com> (2017-04-17):
> This observation resulted from working on a preseed configuration for a
> Ubuntu install, while attempting to use an internal security mirror we have
> for security.ubuntu.com. This mirror uses https, which after much
> debugging/digging is not a supported protocol by apt-setup for security_host
> and security_path.
>
> Currently in generators/91security there is a bit of hardcoding that forces
> this to use the http protocol. There is no way to override this like with
> mirror/protocol. Unfortunately we had to create a non-https mirror of
> security.ubuntu.com as a stop-gap result.
>
> It would be nice if there was an equivalent way to set this protocol as
> mirror/protocol. Preferably, this could be apt-setup/security_protocol to
> coincide with the existing parameters (secuirty_host and security_path).
Right now, the only setting available is apt-setup/security_host, and there's
> Ubuntu install, while attempting to use an internal security mirror we have
> for security.ubuntu.com. This mirror uses https, which after much
> debugging/digging is not a supported protocol by apt-setup for security_host
> and security_path.
>
> Currently in generators/91security there is a bit of hardcoding that forces
> this to use the http protocol. There is no way to override this like with
> mirror/protocol. Unfortunately we had to create a non-https mirror of
> security.ubuntu.com as a stop-gap result.
>
> It would be nice if there was an equivalent way to set this protocol as
> mirror/protocol. Preferably, this could be apt-setup/security_protocol to
> coincide with the existing parameters (secuirty_host and security_path).
no apt-setup/security_path (“debian-security” is hardcoded).
Adding support for both shouldn't be too hard but:
- we're trying to release stretch, so at some point it would be nice to
stop making changes;
- https support would be a nice addition but lacking it isn't a
regression at this point (as I mentioned on IRC, https support is
rather new); also, should it be automatically set to https if the
main mirror was selected as https?
At this point, I think it would be fair to ask interested people to work
on this in a buster branch, not to be uploaded to unstable until the
release of stretch?
KiBi.
Philipp Kern
Apr 18, 2017, 3:00:03 PM4/18/17
to
On 17.04.2017 15:35, Cyril Brulebois wrote:
> Right now, the only setting available is apt-setup/security_host, and there's
> no apt-setup/security_path (“debian-security” is hardcoded).
>
> Adding support for both shouldn't be too hard but:
> - we're trying to release stretch, so at some point it would be nice to
> stop making changes;
> - https support would be a nice addition but lacking it isn't a
> regression at this point (as I mentioned on IRC, https support is
> rather new); also, should it be automatically set to https if the
> main mirror was selected as https?
>
> At this point, I think it would be fair to ask interested people to work
> on this in a buster branch, not to be uploaded to unstable until the
> release of stretch?
Yes. Especially as I think this can be worked around by using a local0
> Right now, the only setting available is apt-setup/security_host, and there's
> no apt-setup/security_path (“debian-security” is hardcoded).
>
> Adding support for both shouldn't be too hard but:
> - we're trying to release stretch, so at some point it would be nice to
> stop making changes;
> - https support would be a nice addition but lacking it isn't a
> regression at this point (as I mentioned on IRC, https support is
> rather new); also, should it be automatically set to https if the
> main mirror was selected as https?
>
> At this point, I think it would be fair to ask interested people to work
> on this in a buster branch, not to be uploaded to unstable until the
> release of stretch?
repository (which accepts an arbitrary URL).
Kind regards
Philipp Kern
0 new messages