On 11/20/2016 12:10 PM, Julien Cristau wrote: > I think until there's a ca-certificates-udeb, adding wget for https in > all images isn't reasonable, vs google rebuilding d-i with added wget > and the PEM bits you need. I guess ca-certificates-udeb would need some > way to preseed a list of trusted CAs.
I just tried it out with the following patch to the base package list: diff --git a/build/pkg-lists/base b/build/pkg-lists/base index 3da0e4c..6f1d955 100644 --- a/build/pkg-lists/base +++ b/build/pkg-lists/base @@ -25,3 +25,6 @@ ca-certificates-udeb libkmod2-udeb [linux] kldutils-udeb [kfreebsd] + +wget-udeb +ca-certificates-udeb choose-mirror does not ask for the protocol by default, as the question is priority medium. I did my installation by passing priority=medium on the command-line, but you could as well preseed the protocol to https I think. In that case it does not show a list of mirrors (because Mirrorlist does not list https capabilities), but works just fine with deb.debian.org, which points to Cloudfront for HTTPS support. d-i component load worked, debootstrap worked and the resulting chroot had apt-transport-https and a sources.list pointing to https://deb.debian.org. The security archive was added without https, but that's unavoidable at this point given that it does not actually support it. As for not breaking orion5x images, I suppose the following could do the trick: diff --git a/build/pkg-lists/netboot/armel/orion5x.cfg b/build/pkg-lists/netboot/armel/orion5x.cfg index 9fc7584..c0c8b83 100644 --- a/build/pkg-lists/netboot/armel/orion5x.cfg +++ b/build/pkg-lists/netboot/armel/orion5x.cfg @@ -1,2 +1,6 @@ # To control the LED and beeper on Buffalo devices micro-evtd-udeb + +# Do not include HTTPS support to keep the image small. +wget-udeb - +ca-certificates-udeb - However this is untested on armel because abel died on me when I tried to set up my chroot and debian-installer does not support cross-compilation. I tried out the same through amd64.cfg, overriding base and it worked for me. So I suppose this should be ok to commit and push? Kind regards and thanks Philipp Kern
signature.asc
Description: OpenPGP digital signature