On 20.11.2016 11:45, Cyril Brulebois wrote: >> But you are absolutely correct in for this to be universally useful, >> we'd also need a ca-certificates-udeb. I can take a look at that but I >> somewhat fear that it won't be that much smaller than the regular one >> (maybe ~150k udeb size). > > If you're going to need another cpio archive with PEM files, can't you > just add the needed bits (wget & libraries) for https there? > > Adding packages for every single image just so that Google people can > append a cpio archive with some CAs doesn't look too reasonable to me: > you need to do extra work on your end anyway, and everybody pays that > price without getting any advantage…
Well, I said why adding wget plus somehow determining the required libraries is harder than just adding some static content.[1] We also wouldn't need to do the PEM cpio dance if ca-certificates-udeb would be part of the image. We don't need to add an internal CA or something like that. I understand the bit about paying the price, which is why I tried to address that in my reply as well. Recent discussions on -devel showed that there's a general interest in HTTPS enablement. Kind regards Philipp Kern [1] Unless we rebuild d-i, which we could do.