subject:"Bug#885455\: live\-boot\: Please drop wget from initrd \(busybox provides wget\)"

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

2018-03-15 Thread Benjamin Drung

Am Freitag, den 23.02.2018, 20:17 +0100 schrieb Raphael Hertzog:
> Control: tag -1 + pending
> 
> On Fri, 23 Feb 2018, Kristian Klausen wrote:
> > Busybox version of wget does not check the certificate at all,
> > which defeat the purpose of https.
> > Tested with (on testing): busybox wget 'https://untrusted-root.bads
> > sl.com/' and busybox wget 'https://expired.badssl.com/'
> 
> At the same time, ca-certificates is not embedded in the initrd
> either so
> certificates could not be checked. And the purpose of https is two-
> fold:
> privacy due to encryption (we have that), and authentication with
> certificates (we don't have that).
> 
> I don't even know where live-boot is using URL and what for. But I
> have
> committed the patch.

The fetch= and httpfs= live-boot parameter take URLs.

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.dr...@profitbricks.com
URL: https://www.profitbricks.de

Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

2018-02-23 Thread Raphael Hertzog

Control: tag -1 + pending

On Fri, 23 Feb 2018, Kristian Klausen wrote:
> Busybox version of wget does not check the certificate at all, which defeat 
> the purpose of https.
> Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/' 
> and busybox wget 'https://expired.badssl.com/'

At the same time, ca-certificates is not embedded in the initrd either so
certificates could not be checked. And the purpose of https is two-fold:
privacy due to encryption (we have that), and authentication with
certificates (we don't have that).

I don't even know where live-boot is using URL and what for. But I have
committed the patch.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

2018-02-23 Thread Kristian Klausen

> > Am Mittwoch, den 21.02.2018, 10:08 +0100 schrieb Raphael Hertzog:
> > Hello,
> >
> > On Wed, 27 Dec 2017, Benjamin Drung wrote:
> > > The wget binary depends on many libraries. On Debian 9 (stretch)
> > > these
> > > are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0,
> > > libnettle6,
> > > libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8
> > > megabytes.
> > > This increases the initramfs size a lot. To save space, use wget
> > > from
> > > busybox instead. Commit 4328832d0 that adds wget does not give a
> > > reason
> > > why busybox's wget is not used. A patch is tested and attached.
> >
> > The usual reason is for "https" support. Have you tried to use https
> > URLs in the various places where we can use URLs?
>
> Okay. I did some tests in a minimal schroot environment:
>
> (stretch)root@konstrukt:~# dpkg -s busybox | grep ^Version
> Version: 1:1.22.0-19+b3
> (stretch)root@konstrukt:~# busybox wget https://bugs.debian.org/
> wget: not an http or ftp url: https://bugs.debian.org/
>
> (buster)root@konstrukt:~# dpkg -s busybox | grep ^Version
> Version: 1:1.27.2-2
> (buster)root@konstrukt:~# busybox wget https://bugs.debian.org/
> Connecting to bugs.debian.org (209.87.16.39:443)
> Connecting to www.debian.org (5.153.231.4:443)
> index.html   100% |***| 18089   0:00:00 ETA
>
> So busybox in stretch does not support HTTPS, but it supports HTTPS in
> testing/unstable.

Busybox version of wget does not check the certificate at all, which defeat the 
purpose of https.
Tested with (on testing): busybox wget 'https://untrusted-root.badssl.com/' and 
busybox wget 'https://expired.badssl.com/'

- Kristian

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

2018-02-22 Thread Benjamin Drung

Am Mittwoch, den 21.02.2018, 10:08 +0100 schrieb Raphael Hertzog:
> Hello,
> 
> On Wed, 27 Dec 2017, Benjamin Drung wrote:
> > The wget binary depends on many libraries. On Debian 9 (stretch)
> > these
> > are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0,
> > libnettle6,
> > libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8
> > megabytes.
> > This increases the initramfs size a lot. To save space, use wget
> > from
> > busybox instead. Commit 4328832d0 that adds wget does not give a
> > reason
> > why busybox's wget is not used. A patch is tested and attached.
> 
> The usual reason is for "https" support. Have you tried to use https
> URLs in the various places where we can use URLs?

Okay. I did some tests in a minimal schroot environment:

(stretch)root@konstrukt:~# dpkg -s busybox | grep ^Version
Version: 1:1.22.0-19+b3
(stretch)root@konstrukt:~# busybox wget https://bugs.debian.org/
wget: not an http or ftp url: https://bugs.debian.org/

(buster)root@konstrukt:~# dpkg -s busybox | grep ^Version
Version: 1:1.27.2-2
(buster)root@konstrukt:~# busybox wget https://bugs.debian.org/
Connecting to bugs.debian.org (209.87.16.39:443)
Connecting to www.debian.org (5.153.231.4:443)
index.html   100% |***| 18089   0:00:00 ETA

So busybox in stretch does not support HTTPS, but it supports HTTPS in
testing/unstable.

I also verified that running wget on a https URL inside the minimal
boot=live initramfs works.

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.dr...@profitbricks.com
URL: https://www.profitbricks.de

Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

2018-02-21 Thread Raphael Hertzog

Hello,

On Wed, 27 Dec 2017, Benjamin Drung wrote:
> The wget binary depends on many libraries. On Debian 9 (stretch) these
> are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, libnettle6,
> libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 megabytes.
> This increases the initramfs size a lot. To save space, use wget from
> busybox instead. Commit 4328832d0 that adds wget does not give a reason
> why busybox's wget is not used. A patch is tested and attached.

The usual reason is for "https" support. Have you tried to use https
URLs in the various places where we can use URLs?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

2017-12-27 Thread Benjamin Drung

Source: live-boot
Version: 1:20170623
Severity: normal
Tags: patch

Hi,

The wget binary depends on many libraries. On Debian 9 (stretch) these
are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, libnettle6,
libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 megabytes.
This increases the initramfs size a lot. To save space, use wget from
busybox instead. Commit 4328832d0 that adds wget does not give a reason
why busybox's wget is not used. A patch is tested and attached.

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Email: benjamin.dr...@profitbricks.com
URL: https://www.profitbricks.de

Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg
>From d17fb6226a7f99d98b4a39275e85f31a762868b9 Mon Sep 17 00:00:00 2001
From: Benjamin Drung 
Date: Tue, 19 Dec 2017 16:06:58 +0100
Subject: [PATCH] Drop wget (busybox provides wget)

The wget binary depends on many libraries. On Debian 9 (stretch) these
are: libffi6, libgnutls30, libhogweed4, libidn11, libidn2-0, libnettle6,
libp11-kit0, libpsl5, libtasn1-6, libunistring0. In total 8 megabytes.
This increases the initramfs size a lot. To save space, use wget from
busybox instead. Commit 4328832d0 that adds wget does not give a reason
why busybox's wget is not used.
---
 backend/initramfs-tools/live.hook | 7 ---
 1 file changed, 7 deletions(-)

diff --git a/backend/initramfs-tools/live.hook 
b/backend/initramfs-tools/live.hook
index 9af9eea..41811c3 100755
--- a/backend/initramfs-tools/live.hook
+++ b/backend/initramfs-tools/live.hook
@@ -139,13 +139,6 @@ then
copy_exec /bin/udevadm
 fi
 
-# Program: wget
-if [ -x /usr/bin/wget ]
-then
-   [ "${QUIET}" ] || echo -n " wget"
-   copy_exec /usr/bin/wget /bin
-fi
-
 # Program: blockdev
 if [ -x /sbin/blockdev ]
 then
-- 
2.14.1

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

Bug#885455: live-boot: Please drop wget from initrd (busybox provides wget)

6 matches

Site Navigation

Mail list logo

Footer information